CVE-2026-55408
Received Received - Intake

Remote Code Execution in Koodo Reader via Malicious EPUB

Vulnerability report for CVE-2026-55408, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Koodo Reader is an ebook reader. In version 2.3.0 and earlier, Koodo Reader is vulnerable to remote code execution through malicious EPUB files because the open-book IPC handler enables nodeIntegrationInSubFrames and EPUB chapter content is rendered with unsanitized innerHTML. An attacker can craft an EPUB book that, when imported and opened by the victim, instantiates a hidden iframe with Node.js API access and executes arbitrary operating system commands with the victim user's privileges. This issue is fixed in version 2.3.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
koodo_reader koodo_reader to 2.3.1 (exc)
koodo_reader koodo_reader 2.3.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Koodo Reader, an ebook reader application, has a vulnerability in version 2.3.0 and earlier that allows remote code execution. This happens because the application enables nodeIntegrationInSubFrames in its open-book IPC handler and renders EPUB chapter content using unsanitized innerHTML. An attacker can create a malicious EPUB file that, when opened by a user, loads a hidden iframe with access to Node.js APIs, allowing the attacker to execute arbitrary operating system commands with the user's privileges.

This vulnerability is fixed in version 2.3.1 of Koodo Reader.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary operating system commands on your device with the same privileges as the user running Koodo Reader. This could lead to unauthorized access, data theft, installation of malware, or other malicious activities on your system.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Koodo Reader to version 2.3.1 or later, where the issue is fixed.

Avoid importing or opening EPUB files from untrusted or unknown sources, as malicious EPUB files can exploit this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55408. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart