CVE-2026-26064
published 2026-02-20CVE-2026-26064: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal…
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.88%
54.6th percentile
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith('Pictures'), and does not sanitize '..' sequences. calibre's own ZipFile.extractall() in utils/zipfile.py does sanitize '..' via _get_targetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| calibre-ebook | calibre | < 9.3.0 | 9.3.0 |
| debian | calibre | < calibre 9.3.0+ds+~0.10.5-1 (forky) | calibre 9.3.0+ds+~0.10.5-1 (forky) |
| kovidgoyal | calibre | < 9.3.0 | 9.3.0 |
| kovidgoyal | calibre | >= 0 < 9.3.0+ds+~0.10.5-1 | 9.3.0+ds+~0.10.5-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable function `extract_pictures` only checks that a ZIP entry path starts with 'Pictures' but does not sanitize '..' sequences, enabling path traversal. Detect crafted e-book (ZIP) files containing entries with paths like 'Pictures/../../../' that escape the intended extraction directory. ↗
- →The vulnerability is exploited by bypassing calibre's safe extraction path (utils/zipfile.py ZipFile.extractall / _get_targetpath) via manual zf.read() + open() calls. Monitor calibre processes performing file writes outside expected library/book directories, especially to system or user Startup folders. ↗
- →On Windows, successful exploitation results in a payload written to the user's Startup folder, executing on next login. Monitor for unexpected file creation events in '%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup' or '%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup' by calibre processes. ↗
- →Flag calibre versions 9.2.1 and below as vulnerable. Inventory and alert on these versions in your environment. ↗
- ·The path traversal only allows writes to locations where the running user has write permissions; privilege escalation to system-level paths is not directly possible without pre-existing elevated rights. ↗
- ·The RCE-via-Startup-folder vector is Windows-specific. On other platforms (Linux, macOS), the impact is limited to arbitrary file write within user-writable paths. ↗
- ·Debian bookworm, bullseye, and trixie remain unpatched as of the advisory; only forky and sid have the fix (9.3.0+ds+~0.10.5-1). Treat all Debian-based deployments not on forky/sid as vulnerable. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv9.3CRITICAL
vendor_debian9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2026-26064: calibre - calibre is a cross-platform e-book manager for viewing, converting, editing, and...
vendor_debian·2026·CVSS 9.3
CVE-2026-26064 [CRITICAL] CVE-2026-26064: calibre - calibre is a cross-platform e-book manager for viewing, converting, editing, and...
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith('Pictures'), and does not sanitize '..' sequences. calibre's own ZipFile.extractall() in utils/zipfile.py does sanitize '..' via _get_targetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 9.3.0+ds+~0.10.5-1)
sid: resolved (fixed in 9.3.0+ds+~0
OSV
CVE-2026-26064: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books
osv·2026-02-20·CVSS 9.3
CVE-2026-26064 [CRITICAL] CVE-2026-26064: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith('Pictures'), and does not sanitize '..' sequences. calibre's own ZipFile.extractall() in utils/zipfile.py does sanitize '..' via _get_targetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0.
No detection rules found.
No public exploits indexed.
2026-02-20
Published