CVE-2023-44451
Published: 03 May 2024
Summary
CVE-2023-44451 is a high-severity Path Traversal (CWE-22) vulnerability in Linuxmint Xreader. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-44451 is a directory traversal vulnerability in Linux Mint Xreader that occurs during the parsing of EPUB files. The flaw stems from insufficient validation of user-supplied paths before they are used in file operations, enabling an attacker to influence file system access. It affects installations of the Xreader document viewer and carries a CVSS 3.1 score of 7.8 with CWE-22 classification.
Remote attackers can exploit the issue by supplying a malicious EPUB file or directing a target to a page hosting one. Successful exploitation grants arbitrary code execution in the context of the current user, though user interaction is required to open the crafted file.
Public references point to a fix merged in commit 141f1313745b9cc73670df51ac145165efcbb14a of the xreader repository, and the Zero Day Initiative advisory ZDI-23-1835 provides additional technical details on the issue.
EPSS scores for the vulnerability reached a peak of 0.5583 on 2025-12-11 before receding to the current value of 0.4870. No information on observed in-the-wild exploitation is supplied in the source data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-48791
Vulnerability details
Linux Mint Xreader EPUB File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Mint Xreader. User interaction is required to exploit this vulnerability in that the target…
more
must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of EPUB files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-21897.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.