CVE-2018-7889 — Deserialization of Untrusted Data in Calibre

CWE-502 — Deserialization of Untrusted Data7 documents6 sources

Severity

7.8HIGHNVD

EPSS

10.9%

top 6.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Calibre-ebook Calibre Debian Calibre

Timeline

PublishedMar 8

Latest updateJan 27

Description

gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported bookmark data, which allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/calibre< calibre 3.19.0+dfsg-1 (bookworm)

▶Debiancalibre-ebook/calibre< 3.19.0+dfsg-1+3

▶NVDcalibre-ebook/calibre3.18.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-7hmv-6p8v-7rmw: gui2/viewer/bookmarkmanager↗2022-05-14

▶

OSV

CVE-2018-7889: gui2/viewer/bookmarkmanager↗2018-03-08

▶

📋Vendor Advisories

Debian

CVE-2018-7889: calibre - gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported bo...↗2018

▶

📄Research Papers

arXiv

AgenticSCR: An Autonomous Agentic Secure Code Review for Immature Vulnerabilities Detection↗2026-01-27

▶

💬Community

Bugzilla

CVE-2018-7889 calibre: Deserialization vulnerability in calibre/gui2/viewer/bookmarkmanager.py↗2018-03-09

▶

Bugzilla

CVE-2018-7889 calibre: Deserialization vulnerability in calibre/gui2/viewer/bookmarkmanager.py [fedora-all]↗2018-03-09

▶