cbcvebase.
CVE-2025-64486
published 2025-11-08

CVE-2025-64486: calibre is an e-book manager. In versions 8.13.0 and prior, calibre does not validate filenames when handling binary assets in FB2 files, allowing an attacker…

PriorityP345critical9.3CVSS 4.0
AVLACLATNPRNUIPVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.16%
5.5th percentile
calibre is an e-book manager. In versions 8.13.0 and prior, calibre does not validate filenames when handling binary assets in FB2 files, allowing an attacker to write arbitrary files on the filesystem when viewing or converting a malicious FictionBook file. This can be leveraged to achieve arbitrary code execution. This issue is fixed in version 8.14.0.

Affected

5 ranges
VendorProductVersion rangeFixed in
debiancalibre< calibre 6.13.0+repack-2+deb12u5 (bookworm)calibre 6.13.0+repack-2+deb12u5 (bookworm)
kovidgoyalcalibre< 8.14.08.14.0
kovidgoyalcalibre>= 0 < 6.13.0+repack-2+deb12u56.13.0+repack-2+deb12u5
kovidgoyalcalibre>= 0 < 8.5.0+ds-1+deb13u18.5.0+ds-1+deb13u1
kovidgoyalcalibre>= 0 < 8.14.0+ds+~0.10.5-18.14.0+ds+~0.10.5-1

CVSS provenance

nvdv4.09.3CRITICALCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv9.3CRITICAL
vendor_debian9.3CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.