CVE-2026-26065Path Traversal in Calibre

CWE-22Path Traversal9 documents5 sources
Severity
9.3CRITICALNVD
NVD8.2
EPSS
0.0%
top 86.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Kovidgoyal CalibreCalibre-ebook CalibreDebian Calibre
Timeline
PublishedFeb 20
Latest updateMar 13

Description

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 202-byte header variants) that allow arbitrary file writes with arbitrary extension and arbitrary content anywhere the user has write permissions. Files are written in 'wb' mode, silently overwriting existing files. This can lead to potential code execution and Denial of Service through file corruptio

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Packages5 packages

NVDcalibre-ebook/calibre< 9.5.0+1
Debiancalibre-ebook/calibre< 9.5.0+ds+~0.10.5-1
debiandebian/calibre< calibre 9.5.0+ds+~0.10.5-1 (forky)+1
CVEListV5kovidgoyal/calibre< 9.5.0
Debiankovidgoyal/calibre< 9.3.0+ds+~0.10.5-1

Patches

Patch: github.com

🔴Vulnerability Details

2
OSV
CVE-2026-30853: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books2026-03-13
OSV
CVE-2026-26065: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books2026-02-20

📋Vendor Advisories

3
Red Hat
calibre: Calibre: Arbitrary file write via crafted RocketBook (.rb) file2026-03-13
Debian
CVE-2026-30853: calibre - calibre is a cross-platform e-book manager for viewing, converting, editing, and...2026
Debian
CVE-2026-26065: calibre - calibre is a cross-platform e-book manager for viewing, converting, editing, and...2026

🕵️Threat Intelligence

2
Wiz
CVE-2026-30853 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-26065 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-26065 — Path Traversal in Kovidgoyal Calibre | cvebase