CVE-2026-27810 — HTTP Request/Response Splitting in Calibre

CWE-113 — HTTP Request/Response Splitting4 documents4 sources

Severity

6.4MEDIUMNVD

EPSS

0.1%

top 83.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kovidgoyal Calibre Calibre-ebook Calibre Debian Calibre

Timeline

PublishedFeb 27

Description

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Server allows any authenticated user to inject arbitrary HTTP headers into server responses via an unsanitized `content_disposition` query parameter in the `/get/` and `/data-files/get/` endpoints. All users running the calibre Content Server with authentication enabled are affected. The vulnerability i…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages4 packages

▶NVDcalibre-ebook/calibre< 9.4.0

▶debiandebian/calibre< calibre 9.4.0+ds+~0.10.5-1 (forky)

▶CVEListV5kovidgoyal/calibre< 9.4.0

▶Debiankovidgoyal/calibre< 9.4.0+ds+~0.10.5-1

🔴Vulnerability Details

OSV

CVE-2026-27810: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books↗2026-02-27

▶

📋Vendor Advisories

Debian

CVE-2026-27810: calibre - calibre is a cross-platform e-book manager for viewing, converting, editing, and...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-27810 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶