CVE-2026-25636
published 2026-02-06CVE-2026-25636: calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt…
PriorityP344high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.21%
11.1th percentile
calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| calibre-ebook | calibre | < 9.2.0 | 9.2.0 |
| debian | calibre | < calibre 9.2.0+ds+~0.10.5-1 (forky) | calibre 9.2.0+ds+~0.10.5-1 (forky) |
| kovidgoyal | calibre | < 9.2.0 | 9.2.0 |
| kovidgoyal | calibre | >= 0 < 9.2.0+ds+~0.10.5-1 | 9.2.0+ds+~0.10.5-1 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian8.2HIGH
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
calibre: Calibre: Arbitrary file corruption via path traversal in EPUB conversion
vendor_redhat·2026-02-06·CVSS 8.2
CVE-2026-25636 [HIGH] calibre: Calibre: Arbitrary file corruption via path traversal in EPUB conversion
calibre: Calibre: Arbitrary file corruption via path traversal in EPUB conversion
calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0.
A flaw was found in Calibre, an e-book manager. This path traversal vulnerability allows a malicious EPUB (electronic publication) file to corrupt arbitrary files on the system that the Calibre process has write access to. During EPUB conversion, Calibre
Debian
CVE-2026-25636: calibre - calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerabili...
vendor_debian·2026·CVSS 8.2
CVE-2026-25636 [HIGH] CVE-2026-25636: calibre - calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerabili...
calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 9.2.0+ds+~0.10.5-1)
sid: resolved (fixed in 9.2.0+ds+~0.10.5-1)
trixie: open
OSV
CVE-2026-25636: calibre is an e-book manager
osv·2026-02-06·CVSS 7.8
CVE-2026-25636 [HIGH] CVE-2026-25636: calibre is an e-book manager
calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-25636 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-25636 [HIGH] CVE-2026-25636 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25636 :
NixOS vulnerability analysis and mitigation
calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0.
Source : NVD
## 7.8
Score
Published February 6, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
NixOS
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Bugzilla
CVE-2026-25636 calibre: Calibre: Arbitrary file corruption via path traversal in EPUB conversion [fedora-42]
bugzilla·2026-02-09·CVSS 7.8
CVE-2026-25636 [HIGH] CVE-2026-25636 calibre: Calibre: Arbitrary file corruption via path traversal in EPUB conversion [fedora-42]
CVE-2026-25636 calibre: Calibre: Arbitrary file corruption via path traversal in EPUB conversion [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintain
2026-02-06
Published