KDE Project Security Advisory
=============================

Title:          Arianna: Files accessible over the local network
Risk Rating:    Low
CVE:            CVE-2026-42095
Versions:       arianna < 26.04.1
Author:         Albert Astals Cid <aacid@kde.org>
Date:           24 April 2026

Overview
========

Arianna is an ebook reader. For technical reasons it exposes the files to itself
via a socket connection.

Impact
======

While Arianna is running, users with access to the local network can potentially
guess the URL to ask for files and access them.

Workaround
==========

Do not use Arianna on a local network with untrusted users.
Do not use Arianna on a local system with untrusted users.

Solution
========

Update to arianna >= 26.04.1 (when released)

Or apply these patches:
https://invent.kde.org/graphics/arianna/-/commit/485851d25de279a9d2711d3780443530e9851300
https://invent.kde.org/graphics/arianna/-/commit/3cd56fce103ab62887c5592827d78a1197cd926a

Credits
=======

Thanks to h for reporting this issue and to Carl Schwan for fixing it.