{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-42095", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-24T14:41:51.939Z", "dateReserved": "2026-04-24T00:00:00.000Z", "datePublished": "2026-04-24T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Arianna", "vendor": "KDE", "versions": [{"lessThan": "26.04.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "bookserver in KDE Arianna before 26.04.1 allows attackers to read files over a socket connection by guessing a URL."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-24T14:15:03.734Z"}, "references": [{"url": "https://github.com/KDE/arianna/tags"}, {"url": "https://kde.org/info/security/advisory-20260424-1.txt"}, {"url": "https://invent.kde.org/graphics/arianna/-/commit/485851d25de279a9d2711d3780443530e9851300"}, {"url": "https://invent.kde.org/graphics/arianna/-/commit/3cd56fce103ab62887c5592827d78a1197cd926a"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T14:41:27.892370Z", "id": "CVE-2026-42095", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T14:41:51.939Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-42095", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T14:41:27.892370Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T14:41:32.781Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "KDE", "product": "Arianna", "versions": [{"status": "affected", "version": "0", "lessThan": "26.04.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/KDE/arianna/tags"}, {"url": "https://kde.org/info/security/advisory-20260424-1.txt"}, {"url": "https://invent.kde.org/graphics/arianna/-/commit/485851d25de279a9d2711d3780443530e9851300"}, {"url": "https://invent.kde.org/graphics/arianna/-/commit/3cd56fce103ab62887c5592827d78a1197cd926a"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "bookserver in KDE Arianna before 26.04.1 allows attackers to read files over a socket connection by guessing a URL."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-24T14:15:03.734Z"}}}, "cveMetadata": {"cveId": "CVE-2026-42095", "state": "PUBLISHED", "dateUpdated": "2026-04-24T14:41:51.939Z", "dateReserved": "2026-04-24T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-24T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "bookserver in KDE Arianna before 26.04.1 allows attackers to read files over a socket connection by guessing a URL."}], "id": "CVE-2026-42095", "lastModified": "2026-04-24T17:55:55.317", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-24T15:16:48.273", "references": [{"source": "cve@mitre.org", "url": "https://github.com/KDE/arianna/tags"}, {"source": "cve@mitre.org", "url": "https://invent.kde.org/graphics/arianna/-/commit/3cd56fce103ab62887c5592827d78a1197cd926a"}, {"source": "cve@mitre.org", "url": "https://invent.kde.org/graphics/arianna/-/commit/485851d25de279a9d2711d3780443530e9851300"}, {"source": "cve@mitre.org", "url": "https://kde.org/info/security/advisory-20260424-1.txt"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.04.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Arianna", "source": "cna", "vendor": "KDE"}, "product": "arianna", "vendor": "kde"}], "analysis": {"en": {"generated_at": "2026-04-28T14:32:07.004916+00:00", "value": {"mitigation_remediation": ["Upgrade KDE Arianna to version 26.04.1 or newer to eliminate the file\u2011read flaw.", "If upgrading is not immediately possible, restrict the bookserver socket to trusted hosts or localhost only using firewall or network access controls.", "Continuously monitor incoming connections to the bookserver for anomalous URL requests and review logs for signs of unauthorized file access."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "KDE Arianna is affected in all releases prior to 26.04.1. The issue exists in the bookserver component and does not apply to versions 26.04.1 and later, which already contain the fix.", "description_and_impact": "The vulnerability in KDE Arianna\u2019s bookserver allows an attacker to read arbitrary files by guessing a URL over a socket connection. This provides unauthorized access to potentially sensitive data on the system. The weakness is a Missing Authentication for Sensitive Functionality flaw (CWE\u2011306), meaning the server does not require proper credentials before allowing file reads.", "risk_and_exploitability": "The CVSS score of 4 indicates moderate severity, and the EPSS score of less than 1% suggests exploitation is unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog, further implying limited exploitation activity. Attackers would need network or local access to the socket used by the bookserver; the likely vector is sending crafted URLs to the socket, bypassing authentication due to the design flaw."}}}}, "created": "2026-04-27T18:42:00.074007+00:00", "updated": "2026-04-28T14:45:16.180967+00:00", "vendors": ["kde", "kde$PRODUCT$arianna"]}