CVE-2026-44776
Kavita (cross‑platform reading server) prior to 0.9.0 did not enforce library‑level authorization for several download and metadata endpoints, allowing a low‑privileged user who knows a chapterId/volumeId/seriesId to access unrelated library content. Affected endpoints include /api/Download/volum...