cbcvebase.
CVE-2026-26064
published 2026-02-20

CVE-2026-26064: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.88%
54.6th percentile
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith('Pictures'), and does not sanitize '..' sequences. calibre's own ZipFile.extractall() in utils/zipfile.py does sanitize '..' via _get_targetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0.

Affected

4 ranges
VendorProductVersion rangeFixed in
calibre-ebookcalibre< 9.3.09.3.0
debiancalibre< calibre 9.3.0+ds+~0.10.5-1 (forky)calibre 9.3.0+ds+~0.10.5-1 (forky)
kovidgoyalcalibre< 9.3.09.3.0
kovidgoyalcalibre>= 0 < 9.3.0+ds+~0.10.5-19.3.0+ds+~0.10.5-1

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerable function `extract_pictures` only checks that a ZIP entry path starts with 'Pictures' but does not sanitize '..' sequences, enabling path traversal. Detect crafted e-book (ZIP) files containing entries with paths like 'Pictures/../../../' that escape the intended extraction directory.
  • The vulnerability is exploited by bypassing calibre's safe extraction path (utils/zipfile.py ZipFile.extractall / _get_targetpath) via manual zf.read() + open() calls. Monitor calibre processes performing file writes outside expected library/book directories, especially to system or user Startup folders.
  • On Windows, successful exploitation results in a payload written to the user's Startup folder, executing on next login. Monitor for unexpected file creation events in '%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup' or '%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup' by calibre processes.
  • Flag calibre versions 9.2.1 and below as vulnerable. Inventory and alert on these versions in your environment.
  • ·The path traversal only allows writes to locations where the running user has write permissions; privilege escalation to system-level paths is not directly possible without pre-existing elevated rights.
  • ·The RCE-via-Startup-folder vector is Windows-specific. On other platforms (Linux, macOS), the impact is limited to arbitrary file write within user-writable paths.
  • ·Debian bookworm, bullseye, and trixie remain unpatched as of the advisory; only forky and sid have the fix (9.3.0+ds+~0.10.5-1). Treat all Debian-based deployments not on forky/sid as vulnerable.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv9.3CRITICAL
vendor_debian9.3CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.