CVE-2026-33205 — Server-Side Request Forgery in Calibre

CWE-918 — Server-Side Request Forgery5 documents5 sources

Severity

4.8MEDIUMNVD

EPSS

0.0%

top 97.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kovidgoyal Calibre Calibre-ebook Calibre Debian Calibre

Timeline

PublishedMar 27

Description

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDcalibre-ebook/calibre< 9.6.0

▶debiandebian/calibre< calibre 9.6.0+ds+~0.10.5-1 (forky)

▶CVEListV5kovidgoyal/calibre< 9.6.0

▶Debiankovidgoyal/calibre< 9.6.0+ds+~0.10.5-1

🔴Vulnerability Details

OSV

CVE-2026-33205: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books↗2026-03-27

▶

📋Vendor Advisories

Debian

CVE-2026-33205: calibre - calibre is a cross-platform e-book manager for viewing, converting, editing, and...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33205 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-33205 calibre: server-side request forgery in ebook viewer backend [fedora-all]↗2026-03-27

▶