Description
Grimmory is a self-hosted digital library. Prior to version 2.3.1, a stored cross-site scripting (XSS) vulnerability in Grimmory's browser-based EPUB reader allows an attacker to embed arbitrary JavaScript in a crafted EPUB file. When a victim opens the book, the script executes in their browser with full access to the Grimmory application's session context. This can enable session token theft and account takeover, including administrative access if an administrator opens the affected book. This issue has been patched in version 2.3.1.
Published: 2026-05-08
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Grimmory's browser‑based EPUB reader contained a stored cross‑site scripting flaw that lets an attacker embed arbitrary JavaScript into a crafted EPUB file. When a user opens the book, the malicious script runs in the victim's browser with the same privileges as the Grimmory application, allowing access to the current session and the theft of authentication tokens. This can lead to full account takeover, and if an administrator opens the file, administrative control can also be compromised. The weakness is a classic client‑side XSS, mapped to CWE‑79 and CWE‑80.

Affected Systems

All self‑hosted deployments of Grimmory prior to version 2.3.1 are affected. The issue is reported for the grimmory‑tools:grimmory product, and the advisory lists v2.3.1 as the patch release. Clients that use older releases must review their installation for this vulnerability.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, while the EPSS score is currently unavailable and the vulnerability has not been cataloged in CISA's KEV list. The flaw is exploitable by uploading or injecting a malicious EPUB file that a targeted user then opens, so the likelihood depends on the user base and file sharing practices. Because the script executes in the victim's browser with full session context, an attacker could successfully hijack accounts without needing additional footholds.

Generated by OpenCVE AI on May 9, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Grimmory to version 2.3.1 or later to eliminate the stored XSS flaw.
  • If upgrading is not immediately possible, disable or heavily restrict EPUB upload functionality to trusted users only.
  • Apply a robust content‑security‑policy header that blocks execution of inline scripts to reduce the impact if an attacker bypasses file restrictions.

Generated by OpenCVE AI on May 9, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 23:15:00 +0000

Type Values Removed Values Added
Description Grimmory is a self-hosted digital library. Prior to version 2.3.1, a stored cross-site scripting (XSS) vulnerability in Grimmory's browser-based EPUB reader allows an attacker to embed arbitrary JavaScript in a crafted EPUB file. When a victim opens the book, the script executes in their browser with full access to the Grimmory application's session context. This can enable session token theft and account takeover, including administrative access if an administrator opens the affected book. This issue has been patched in version 2.3.1.
Title Grimmory: Stored XSS via Malicious EPUB Enables Session Token Theft
Weaknesses CWE-79
CWE-80
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T22:51:21.920Z

Reserved: 2026-04-27T13:55:58.693Z

Link: CVE-2026-42451

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T23:16:38.680

Modified: 2026-05-08T23:16:38.680

Link: CVE-2026-42451

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T00:30:21Z

Weaknesses