CVE-2026-27824 — Improper Restriction of Excessive Authentication Attempts in Calibre

CWE-307 — Improper Restriction of Excessive Authentication Attempts CWE-346 — Origin Validation Error4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 92.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kovidgoyal Calibre Calibre-ebook Calibre Debian Calibre

Timeline

PublishedFeb 27

Description

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban key derived from both `remote_addr` and the `X-Forwarded-For` header. Since the `X-Forwarded-For` header is read directly from the HTTP request without any validation or trusted-proxy configuration, an attacker can bypass IP-based bans by simply changing or adding this header, rendering the brute-forc…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶NVDcalibre-ebook/calibre< 9.4.0

▶debiandebian/calibre< calibre 9.4.0+ds+~0.10.5-1 (forky)

▶CVEListV5kovidgoyal/calibre< 9.4.0

▶Debiankovidgoyal/calibre< 9.4.0+ds+~0.10.5-1

🔴Vulnerability Details

OSV

CVE-2026-27824: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books↗2026-02-27

▶

📋Vendor Advisories

Debian

CVE-2026-27824: calibre - calibre is a cross-platform e-book manager for viewing, converting, editing, and...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-27824 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶