CVE-2026-30853 — Path Traversal in Calibre

CWE-22 — Path Traversal5 documents5 sources

Severity

8.2HIGHNVD

OSV9.3

EPSS

0.0%

top 92.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Calibre-ebook Calibre Debian Calibre

Timeline

PublishedMar 13

Description

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to 9.5.0, a path traversal vulnerability in the RocketBook (.rb) input plugin (src/calibre/ebooks/rb/reader.py) allows an attacker to write arbitrary files to any path writable by the calibre process when a user opens or converts a crafted .rb file. This is the same bug class fixed in CVE-2026-26065 for the PDB readers, but the fix was never applied to the RB reader. This vulnerability is f…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:HExploitability: 1.8 | Impact: 5.8

Affected Packages3 packages

▶NVDcalibre-ebook/calibre< 9.5.0

▶Debiancalibre-ebook/calibre< 9.5.0+ds+~0.10.5-1

▶debiandebian/calibre< calibre 9.5.0+ds+~0.10.5-1 (forky)

🔴Vulnerability Details

OSV

CVE-2026-30853: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books↗2026-03-13

▶

📋Vendor Advisories

Red Hat

calibre: Calibre: Arbitrary file write via crafted RocketBook (.rb) file↗2026-03-13

▶

Debian

CVE-2026-30853: calibre - calibre is a cross-platform e-book manager for viewing, converting, editing, and...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-30853 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶