OPENSUSE-SU-2026:10587-1 - Vulnerability-Lookup

OPENSUSE-SU-2026:10587-1

Vulnerability from csaf_opensuse - Published: 2026-04-21 00:00 - Updated: 2026-04-21 00:00

Summary

calibre-9.7.0-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: calibre-9.7.0-1.1 on GA media

Description of the patch: These are all security issues fixed in the calibre-9.7.0-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10587

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2026-25635

8.6 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-25636

8.2 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-25731

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-26064

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-26065

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-27810

6.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-27824

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-30853

8.2 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-33205

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-33206

6.3 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/o…	self
	https://www.suse.com/security/cve/CVE-2026-25635/	self
	https://www.suse.com/security/cve/CVE-2026-25636/	self
	https://www.suse.com/security/cve/CVE-2026-25731/	self
	https://www.suse.com/security/cve/CVE-2026-26064/	self
	https://www.suse.com/security/cve/CVE-2026-26065/	self
	https://www.suse.com/security/cve/CVE-2026-27810/	self
	https://www.suse.com/security/cve/CVE-2026-27824/	self
	https://www.suse.com/security/cve/CVE-2026-30853/	self
	https://www.suse.com/security/cve/CVE-2026-33205/	self
	https://www.suse.com/security/cve/CVE-2026-33206/	self
	https://www.suse.com/security/cve/CVE-2026-25635	external
	https://bugzilla.suse.com/1257885	external
	https://www.suse.com/security/cve/CVE-2026-25636	external
	https://bugzilla.suse.com/1257886	external
	https://www.suse.com/security/cve/CVE-2026-25731	external
	https://bugzilla.suse.com/1257879	external
	https://www.suse.com/security/cve/CVE-2026-26064	external
	https://bugzilla.suse.com/1258529	external
	https://www.suse.com/security/cve/CVE-2026-26065	external
	https://bugzilla.suse.com/1258530	external
	https://www.suse.com/security/cve/CVE-2026-27810	external
	https://bugzilla.suse.com/1259042	external
	https://www.suse.com/security/cve/CVE-2026-27824	external
	https://bugzilla.suse.com/1259043	external
	https://www.suse.com/security/cve/CVE-2026-30853	external
	https://bugzilla.suse.com/1259688	external
	https://www.suse.com/security/cve/CVE-2026-33205	external
	https://bugzilla.suse.com/1260987	external
	https://www.suse.com/security/cve/CVE-2026-33206	external
	https://bugzilla.suse.com/1260986	external

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "calibre-9.7.0-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the calibre-9.7.0-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10587",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10587-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-25635 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-25635/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-25636 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-25636/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-25731 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-25731/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-26064 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-26064/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-26065 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-26065/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-27810 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-27810/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-27824 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-27824/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-30853 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-30853/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-33205 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-33205/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-33206 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-33206/"
      }
    ],
    "title": "calibre-9.7.0-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-04-21T00:00:00Z",
      "generator": {
        "date": "2026-04-21T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10587-1",
      "initial_release_date": "2026-04-21T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-04-21T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "calibre-9.7.0-1.1.aarch64",
                "product": {
                  "name": "calibre-9.7.0-1.1.aarch64",
                  "product_id": "calibre-9.7.0-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "calibre-9.7.0-1.1.ppc64le",
                "product": {
                  "name": "calibre-9.7.0-1.1.ppc64le",
                  "product_id": "calibre-9.7.0-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "calibre-9.7.0-1.1.s390x",
                "product": {
                  "name": "calibre-9.7.0-1.1.s390x",
                  "product_id": "calibre-9.7.0-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "calibre-9.7.0-1.1.x86_64",
                "product": {
                  "name": "calibre-9.7.0-1.1.x86_64",
                  "product_id": "calibre-9.7.0-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "calibre-9.7.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64"
        },
        "product_reference": "calibre-9.7.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "calibre-9.7.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le"
        },
        "product_reference": "calibre-9.7.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "calibre-9.7.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x"
        },
        "product_reference": "calibre-9.7.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "calibre-9.7.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
        },
        "product_reference": "calibre-9.7.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-25635",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-25635"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "calibre is an e-book manager. Prior to 9.2.0, Calibre\u0027s CHM reader contains a path traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows (haven\u0027t tested on other OS\u0027s), this can lead to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. This vulnerability is fixed in 9.2.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-25635",
          "url": "https://www.suse.com/security/cve/CVE-2026-25635"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1257885 for CVE-2026-25635",
          "url": "https://bugzilla.suse.com/1257885"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-25635"
    },
    {
      "cve": "CVE-2026-25636",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-25636"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre\u0027s EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-25636",
          "url": "https://www.suse.com/security/cve/CVE-2026-25636"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1257886 for CVE-2026-25636",
          "url": "https://bugzilla.suse.com/1257886"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-25636"
    },
    {
      "cve": "CVE-2026-25731",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-25731"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre\u0027s Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-25731",
          "url": "https://www.suse.com/security/cve/CVE-2026-25731"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1257879 for CVE-2026-25731",
          "url": "https://bugzilla.suse.com/1257879"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-25731"
    },
    {
      "cve": "CVE-2026-26064",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-26064"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith(\u0027Pictures\u0027), and does not sanitize \u0027..\u0027 sequences. calibre\u0027s own ZipFile.extractall() in utils/zipfile.py does sanitize \u0027..\u0027 via _get_targetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-26064",
          "url": "https://www.suse.com/security/cve/CVE-2026-26064"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1258529 for CVE-2026-26064",
          "url": "https://bugzilla.suse.com/1258529"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-26064"
    },
    {
      "cve": "CVE-2026-26065",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-26065"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 202-byte header variants) that allow arbitrary file writes with arbitrary extension and arbitrary content anywhere the user has write permissions. Files are written in \u0027wb\u0027 mode, silently overwriting existing files. This can lead to potential code execution and Denial of Service through file corruption. This issue has been fixed in version 9.3.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-26065",
          "url": "https://www.suse.com/security/cve/CVE-2026-26065"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1258530 for CVE-2026-26065",
          "url": "https://bugzilla.suse.com/1258530"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-26065"
    },
    {
      "cve": "CVE-2026-27810",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-27810"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Server allows any authenticated user to inject arbitrary HTTP headers into server responses via an unsanitized `content_disposition` query parameter in the `/get/` and `/data-files/get/` endpoints. All users running the calibre Content Server with authentication enabled are affected. The vulnerability is exploitable by any authenticated user and can also be triggered by tricking an authenticated victim into clicking a crafted link. Version 9.4.0 contains a fix for the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-27810",
          "url": "https://www.suse.com/security/cve/CVE-2026-27810"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259042 for CVE-2026-27810",
          "url": "https://bugzilla.suse.com/1259042"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-27810"
    },
    {
      "cve": "CVE-2026-27824",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-27824"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server\u0027s brute-force protection mechanism uses a ban key derived from both `remote_addr` and the `X-Forwarded-For` header. Since the `X-Forwarded-For` header is read directly from the HTTP request without any validation or trusted-proxy configuration, an attacker can bypass IP-based bans by simply changing or adding this header, rendering the brute-force protection completely ineffective. This is particularly dangerous for calibre servers exposed to the internet, where brute-force protection is the primary defense against credential stuffing and password guessing attacks. Version 9.4.0 contains a fix for the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-27824",
          "url": "https://www.suse.com/security/cve/CVE-2026-27824"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259043 for CVE-2026-27824",
          "url": "https://bugzilla.suse.com/1259043"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-27824"
    },
    {
      "cve": "CVE-2026-30853",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-30853"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to 9.5.0, a path traversal vulnerability in the RocketBook (.rb) input plugin (src/calibre/ebooks/rb/reader.py) allows an attacker to write arbitrary files to any path writable by the calibre process when a user opens or converts a crafted .rb file. This is the same bug class fixed in CVE-2026-26065 for the PDB readers, but the fix was never applied to the RB reader. This vulnerability is fixed in 9.5.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-30853",
          "url": "https://www.suse.com/security/cve/CVE-2026-30853"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259688 for CVE-2026-30853",
          "url": "https://bugzilla.suse.com/1259688"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-30853"
    },
    {
      "cve": "CVE-2026-33205",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-33205"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader\u0027s web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-33205",
          "url": "https://www.suse.com/security/cve/CVE-2026-33205"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260987 for CVE-2026-33205",
          "url": "https://bugzilla.suse.com/1260987"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-33205"
    },
    {
      "cve": "CVE-2026-33206",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-33206"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre\u0027 handling of images in Markdown and other similar text-based files allowing an attacker to include arbitrary files from the file system into the converted book. Additionally, missing authentication and server-side request forgery in the background-image endpoint in the ebook reader web view allow the files to be exfiltrated without additional interaction. Version 9.6.0 contains a fix.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
          "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-33206",
          "url": "https://www.suse.com/security/cve/CVE-2026-33206"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260986 for CVE-2026-33206",
          "url": "https://bugzilla.suse.com/1260986"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.aarch64",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.ppc64le",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.s390x",
            "openSUSE Tumbleweed:calibre-9.7.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-21T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-33206"
    }
  ]
}

CVE-2026-25636 (GCVE-0-2026-25636)

Vulnerability from cvelistv5 – Published: 2026-02-06 20:07 – Updated: 2026-02-11 14:51

Title

calibre has a Path Traversal Leading to Arbitrary File Corruption and Code Execution

Summary

calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0.

Severity ?

8.2 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-73 - External Control of File Name or Path
CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/kovidgoyal/calibre/security/ad…	x_refsource_CONFIRM
	https://github.com/kovidgoyal/calibre/commit/9484…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	kovidgoyal	calibre	Affected: < 9.2.0

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25636",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-09T15:19:25.611213Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-09T15:28:11.765Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-02-11T14:51:19.827Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://0x5t.raptx.org/posts/calibre-epub-rce"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "calibre",
          "vendor": "kovidgoyal",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre\u0027s EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "CWE-73: External Control of File Name or Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T20:07:40.529Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-8r26-m7j5-hm29",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-8r26-m7j5-hm29"
        },
        {
          "name": "https://github.com/kovidgoyal/calibre/commit/9484ea82c6ab226c18e6ca5aa000fa16de598726",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kovidgoyal/calibre/commit/9484ea82c6ab226c18e6ca5aa000fa16de598726"
        }
      ],
      "source": {
        "advisory": "GHSA-8r26-m7j5-hm29",
        "discovery": "UNKNOWN"
      },
      "title": "calibre has a Path Traversal Leading to Arbitrary File Corruption and Code Execution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25636",
    "datePublished": "2026-02-06T20:07:40.529Z",
    "dateReserved": "2026-02-04T05:15:41.790Z",
    "dateUpdated": "2026-02-11T14:51:19.827Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-26064 (GCVE-0-2026-26064)

Vulnerability from cvelistv5 – Published: 2026-02-20 01:44 – Updated: 2026-02-20 15:34

Title

calibre: Path Traversal Vulnerability Enables Arbitrary File Write and Remote Code Execution

Summary

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith('Pictures'), and does not sanitize '..' sequences. calibre's own ZipFile.extractall() in utils/zipfile.py does sanitize '..' via _get_targetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0.

Severity ?

9.3 (Critical)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/kovidgoyal/calibre/security/ad…	x_refsource_CONFIRM
	https://github.com/kovidgoyal/calibre/commit/e1b5…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	kovidgoyal	calibre	Affected: < 9.3.0

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26064",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-20T15:29:11.225512Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-20T15:34:24.625Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "calibre",
          "vendor": "kovidgoyal",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.3.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith(\u0027Pictures\u0027), and does not sanitize \u0027..\u0027 sequences. calibre\u0027s own ZipFile.extractall() in utils/zipfile.py does sanitize \u0027..\u0027 via _get_targetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-20T01:44:34.137Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-72ch-3hqc-pgmp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-72ch-3hqc-pgmp"
        },
        {
          "name": "https://github.com/kovidgoyal/calibre/commit/e1b5f9b45a5e8fa96c136963ad9a1d35e6adac62",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kovidgoyal/calibre/commit/e1b5f9b45a5e8fa96c136963ad9a1d35e6adac62"
        }
      ],
      "source": {
        "advisory": "GHSA-72ch-3hqc-pgmp",
        "discovery": "UNKNOWN"
      },
      "title": "calibre: Path Traversal Vulnerability Enables Arbitrary File Write and Remote Code Execution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-26064",
    "datePublished": "2026-02-20T01:44:34.137Z",
    "dateReserved": "2026-02-10T18:01:31.900Z",
    "dateUpdated": "2026-02-20T15:34:24.625Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27810 (GCVE-0-2026-27810)

Vulnerability from cvelistv5 – Published: 2026-02-27 19:44 – Updated: 2026-03-02 12:53

Title

calibre Vulnerable to HTTP Response Header Injection

Summary

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Server allows any authenticated user to inject arbitrary HTTP headers into server responses via an unsanitized `content_disposition` query parameter in the `/get/` and `/data-files/get/` endpoints. All users running the calibre Content Server with authentication enabled are affected. The vulnerability is exploitable by any authenticated user and can also be triggered by tricking an authenticated victim into clicking a crafted link. Version 9.4.0 contains a fix for the issue.

Severity ?

6.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE

CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Assigner

GitHub_M

References

URL

Tags

https://github.com/kovidgoyal/calibre/security/ad…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	kovidgoyal	calibre	Affected: < 9.4.0

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27810",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-02T12:53:21.102653Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-02T12:53:36.368Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "calibre",
          "vendor": "kovidgoyal",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.4.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Server allows any authenticated user to inject arbitrary HTTP headers into server responses via an unsanitized `content_disposition` query parameter in the `/get/` and `/data-files/get/` endpoints. All users running the calibre Content Server with authentication enabled are affected. The vulnerability is exploitable by any authenticated user and can also be triggered by tricking an authenticated victim into clicking a crafted link. Version 9.4.0 contains a fix for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-113",
              "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-27T19:44:39.106Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-5fpj-fxw7-8grw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-5fpj-fxw7-8grw"
        }
      ],
      "source": {
        "advisory": "GHSA-5fpj-fxw7-8grw",
        "discovery": "UNKNOWN"
      },
      "title": "calibre Vulnerable to HTTP Response Header Injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27810",
    "datePublished": "2026-02-27T19:44:39.106Z",
    "dateReserved": "2026-02-24T02:31:33.267Z",
    "dateUpdated": "2026-03-02T12:53:36.368Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-26065 (GCVE-0-2026-26065)

Vulnerability from cvelistv5 – Published: 2026-02-20 01:54 – Updated: 2026-02-20 16:41

Title

calibre: Path Traversal can Lead to Arbitrary File Write and Potential Code Execution

Summary

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 202-byte header variants) that allow arbitrary file writes with arbitrary extension and arbitrary content anywhere the user has write permissions. Files are written in 'wb' mode, silently overwriting existing files. This can lead to potential code execution and Denial of Service through file corruption. This issue has been fixed in version 9.3.0.

Severity ?

9.3 (Critical)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/kovidgoyal/calibre/security/ad…	x_refsource_CONFIRM
	https://github.com/kovidgoyal/calibre/commit/b6da…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	kovidgoyal	calibre	Affected: < 9.3.0

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26065",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-20T16:41:04.261516Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-20T16:41:32.281Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "calibre",
          "vendor": "kovidgoyal",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.3.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 202-byte header variants) that allow arbitrary file writes with arbitrary extension and arbitrary content anywhere the user has write permissions. Files are written in \u0027wb\u0027 mode, silently overwriting existing files. This can lead to potential code execution and Denial of Service through file corruption. This issue has been fixed in version 9.3.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-20T01:54:03.128Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vmfh-7mr7-pp2w",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vmfh-7mr7-pp2w"
        },
        {
          "name": "https://github.com/kovidgoyal/calibre/commit/b6da1c3878c06eb1356cb0ec1106cb66e0e9bfb8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kovidgoyal/calibre/commit/b6da1c3878c06eb1356cb0ec1106cb66e0e9bfb8"
        }
      ],
      "source": {
        "advisory": "GHSA-vmfh-7mr7-pp2w",
        "discovery": "UNKNOWN"
      },
      "title": "calibre: Path Traversal can Lead to Arbitrary File Write and Potential Code Execution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-26065",
    "datePublished": "2026-02-20T01:54:03.128Z",
    "dateReserved": "2026-02-10T18:01:31.900Z",
    "dateUpdated": "2026-02-20T16:41:32.281Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25635 (GCVE-0-2026-25635)

Vulnerability from cvelistv5 – Published: 2026-02-06 20:10 – Updated: 2026-02-11 14:54

Title

calibre has a Path Traversal Leading to Arbitrary File Write and Potential Code Execution

Summary

calibre is an e-book manager. Prior to 9.2.0, Calibre's CHM reader contains a path traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows (haven't tested on other OS's), this can lead to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. This vulnerability is fixed in 9.2.0.

Severity ?

8.6 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/kovidgoyal/calibre/security/ad…	x_refsource_CONFIRM
	https://github.com/kovidgoyal/calibre/commit/9739…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	kovidgoyal	calibre	Affected: < 9.2.0

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25635",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-09T15:20:48.529881Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-09T15:28:06.665Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-02-11T14:54:23.143Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://0x5t.raptx.org/posts/calibre-chm-rce"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "calibre",
          "vendor": "kovidgoyal",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "calibre is an e-book manager. Prior to 9.2.0, Calibre\u0027s CHM reader contains a path traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows (haven\u0027t tested on other OS\u0027s), this can lead to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. This vulnerability is fixed in 9.2.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T20:10:29.839Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-32vh-whvh-9fxr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-32vh-whvh-9fxr"
        },
        {
          "name": "https://github.com/kovidgoyal/calibre/commit/9739232fcb029ac15dfe52ccd4fdb4a07ebb6ce9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kovidgoyal/calibre/commit/9739232fcb029ac15dfe52ccd4fdb4a07ebb6ce9"
        }
      ],
      "source": {
        "advisory": "GHSA-32vh-whvh-9fxr",
        "discovery": "UNKNOWN"
      },
      "title": "calibre has a Path Traversal Leading to Arbitrary File Write and Potential Code Execution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25635",
    "datePublished": "2026-02-06T20:10:29.839Z",
    "dateReserved": "2026-02-04T05:15:41.790Z",
    "dateUpdated": "2026-02-11T14:54:23.143Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27824 (GCVE-0-2026-27824)

Vulnerability from cvelistv5 – Published: 2026-02-27 19:46 – Updated: 2026-03-02 12:54

Title

calibre has IP Ban Bypass via X-Forwarded-For Header Spoofing

Summary

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban key derived from both `remote_addr` and the `X-Forwarded-For` header. Since the `X-Forwarded-For` header is read directly from the HTTP request without any validation or trusted-proxy configuration, an attacker can bypass IP-based bans by simply changing or adding this header, rendering the brute-force protection completely ineffective. This is particularly dangerous for calibre servers exposed to the internet, where brute-force protection is the primary defense against credential stuffing and password guessing attacks. Version 9.4.0 contains a fix for the issue.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-307 - Improper Restriction of Excessive Authentication Attempts
CWE-346 - Origin Validation Error

Assigner

GitHub_M

References

URL

Tags

https://github.com/kovidgoyal/calibre/security/ad…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	kovidgoyal	calibre	Affected: < 9.4.0

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27824",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-02T12:54:19.314863Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-02T12:54:32.182Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "calibre",
          "vendor": "kovidgoyal",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.4.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server\u0027s brute-force protection mechanism uses a ban key derived from both `remote_addr` and the `X-Forwarded-For` header. Since the `X-Forwarded-For` header is read directly from the HTTP request without any validation or trusted-proxy configuration, an attacker can bypass IP-based bans by simply changing or adding this header, rendering the brute-force protection completely ineffective. This is particularly dangerous for calibre servers exposed to the internet, where brute-force protection is the primary defense against credential stuffing and password guessing attacks. Version 9.4.0 contains a fix for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-346",
              "description": "CWE-346: Origin Validation Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-27T19:46:07.612Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vhxc-r7v8-2xrw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vhxc-r7v8-2xrw"
        }
      ],
      "source": {
        "advisory": "GHSA-vhxc-r7v8-2xrw",
        "discovery": "UNKNOWN"
      },
      "title": "calibre has IP Ban Bypass via X-Forwarded-For Header Spoofing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27824",
    "datePublished": "2026-02-27T19:46:07.612Z",
    "dateReserved": "2026-02-24T02:32:39.799Z",
    "dateUpdated": "2026-03-02T12:54:32.182Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33206 (GCVE-0-2026-33206)

Vulnerability from cvelistv5 – Published: 2026-03-27 13:53 – Updated: 2026-03-27 14:48

Title

calibre has a path traversal vulnerability

Summary

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre' handling of images in Markdown and other similar text-based files allowing an attacker to include arbitrary files from the file system into the converted book. Additionally, missing authentication and server-side request forgery in the background-image endpoint in the ebook reader web view allow the files to be exfiltrated without additional interaction. Version 9.6.0 contains a fix.

Severity ?

8.2 (High)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

CWE

CWE-23 - Relative Path Traversal

Assigner

GitHub_M

References

URL

Tags

https://github.com/kovidgoyal/calibre/security/ad…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	kovidgoyal	calibre	Affected: < 9.6.0

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33206",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T14:48:39.922938Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T14:48:44.155Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-h3p4-m74f-43g6"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "calibre",
          "vendor": "kovidgoyal",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre\u0027 handling of images in Markdown and other similar text-based files allowing an attacker to include arbitrary files from the file system into the converted book. Additionally, missing authentication and server-side request forgery in the background-image endpoint in the ebook reader web view allow the files to be exfiltrated without additional interaction. Version 9.6.0 contains a fix."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-27T13:53:22.833Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-h3p4-m74f-43g6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-h3p4-m74f-43g6"
        }
      ],
      "source": {
        "advisory": "GHSA-h3p4-m74f-43g6",
        "discovery": "UNKNOWN"
      },
      "title": "calibre has a path traversal vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33206",
    "datePublished": "2026-03-27T13:53:22.833Z",
    "dateReserved": "2026-03-17T23:23:58.312Z",
    "dateUpdated": "2026-03-27T14:48:44.155Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-30853 (GCVE-0-2026-30853)

Vulnerability from cvelistv5 – Published: 2026-03-13 19:00 – Updated: 2026-03-13 19:42

Title

calibre has a Path Traversal Leading to Arbitrary File Write

Summary

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to 9.5.0, a path traversal vulnerability in the RocketBook (.rb) input plugin (src/calibre/ebooks/rb/reader.py) allows an attacker to write arbitrary files to any path writable by the calibre process when a user opens or converts a crafted .rb file. This is the same bug class fixed in CVE-2026-26065 for the PDB readers, but the fix was never applied to the RB reader. This vulnerability is fixed in 9.5.0.

Severity ?

5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

https://github.com/kovidgoyal/calibre/security/ad…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	kovidgoyal	calibre	Affected: < 9.5.0

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-30853",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-13T19:42:19.321037Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-13T19:42:26.573Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "calibre",
          "vendor": "kovidgoyal",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.5.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to 9.5.0, a path traversal vulnerability in the RocketBook (.rb) input plugin (src/calibre/ebooks/rb/reader.py) allows an attacker to write arbitrary files to any path writable by the calibre process when a user opens or converts a crafted .rb file. This is the same bug class fixed in CVE-2026-26065 for the PDB readers, but the fix was never applied to the RB reader. This vulnerability is fixed in 9.5.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-13T19:00:09.925Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-7mp7-rfrg-542x",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-7mp7-rfrg-542x"
        }
      ],
      "source": {
        "advisory": "GHSA-7mp7-rfrg-542x",
        "discovery": "UNKNOWN"
      },
      "title": "calibre has a Path Traversal Leading to Arbitrary File Write"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-30853",
    "datePublished": "2026-03-13T19:00:09.925Z",
    "dateReserved": "2026-03-05T21:27:35.341Z",
    "dateUpdated": "2026-03-13T19:42:26.573Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33205 (GCVE-0-2026-33205)

Vulnerability from cvelistv5 – Published: 2026-03-27 13:52 – Updated: 2026-03-27 19:58

Title

calibre has Server-Side Request Forgery in ebook viewer backend

Summary

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.

Severity ?

4.8 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

URL

Tags

https://github.com/kovidgoyal/calibre/security/ad…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	kovidgoyal	calibre	Affected: < 9.6.0

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33205",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T18:57:50.837886Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T19:58:43.747Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "calibre",
          "vendor": "kovidgoyal",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader\u0027s web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-27T13:52:06.860Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v"
        }
      ],
      "source": {
        "advisory": "GHSA-4926-v9px-wv7v",
        "discovery": "UNKNOWN"
      },
      "title": "calibre has Server-Side Request Forgery in ebook viewer backend"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33205",
    "datePublished": "2026-03-27T13:52:06.860Z",
    "dateReserved": "2026-03-17T23:23:58.312Z",
    "dateUpdated": "2026-03-27T19:58:43.747Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25731 (GCVE-0-2026-25731)

Vulnerability from cvelistv5 – Published: 2026-02-06 20:14 – Updated: 2026-02-06 21:02

Title

Calibre Affected by Arbitrary Code Execution via Server-Side Template Injection in Calibre HTML Export

Summary

calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine

Assigner

GitHub_M

References

URL

Tags

	https://github.com/kovidgoyal/calibre/security/ad…	x_refsource_CONFIRM
	https://github.com/kovidgoyal/calibre/commit/f064…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	kovidgoyal	calibre	Affected: < 9.2.0

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25731",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-06T21:01:31.473045Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-06T21:02:01.147Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "calibre",
          "vendor": "kovidgoyal",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre\u0027s Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1336",
              "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T20:14:35.822Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-xrh9-w7qx-3gcc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-xrh9-w7qx-3gcc"
        },
        {
          "name": "https://github.com/kovidgoyal/calibre/commit/f0649b27512e987b95fcab2e1e0a3bcdafc23379",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kovidgoyal/calibre/commit/f0649b27512e987b95fcab2e1e0a3bcdafc23379"
        }
      ],
      "source": {
        "advisory": "GHSA-xrh9-w7qx-3gcc",
        "discovery": "UNKNOWN"
      },
      "title": "Calibre Affected by Arbitrary Code Execution via Server-Side Template Injection in Calibre HTML Export"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25731",
    "datePublished": "2026-02-06T20:14:35.822Z",
    "dateReserved": "2026-02-05T16:48:00.427Z",
    "dateUpdated": "2026-02-06T21:02:01.147Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.