CVE-2026-42451
Grimmory: Stored XSS via Malicious EPUB Enables Session Token Theft
CVSS Score
6.3
EPSS Score
0.0%
EPSS Percentile
0th
Grimmory is a self-hosted digital library. Prior to version 2.3.1, a stored cross-site scripting (XSS) vulnerability in Grimmory's browser-based EPUB reader allows an attacker to embed arbitrary JavaScript in a crafted EPUB file. When a victim opens the book, the script executes in their browser with full access to the Grimmory application's session context. This can enable session token theft and account takeover, including administrative access if an administrator opens the affected book. This issue has been patched in version 2.3.1.
| CWE | CWE-79 CWE-80 |
| Vendor | grimmory-tools |
| Product | grimmory |
| Published | May 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for grimmory-tools grimmory
Be the first to know when new medium vulnerabilities affecting grimmory-tools grimmory are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low
Affected Versions
grimmory-tools / grimmory
< 2.3.1