CVE-2026-26064 — Path Traversal in Calibre

CWE-22 — Path Traversal4 documents4 sources

Severity

9.3CRITICALNVD

EPSS

0.1%

top 77.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kovidgoyal Calibre Calibre-ebook Calibre Debian Calibre

Timeline

PublishedFeb 20

Description

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith('Pictures'), and does not sanitize '..' sequences. calibre's own ZipFile.extractall() in …

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Packages4 packages

▶NVDcalibre-ebook/calibre< 9.3.0

▶debiandebian/calibre< calibre 9.3.0+ds+~0.10.5-1 (forky)

▶CVEListV5kovidgoyal/calibre< 9.3.0

▶Debiankovidgoyal/calibre< 9.3.0+ds+~0.10.5-1

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-26064: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books↗2026-02-20

▶

📋Vendor Advisories

Debian

CVE-2026-26064: calibre - calibre is a cross-platform e-book manager for viewing, converting, editing, and...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-26064 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶