CVE-2026-33205
published 2026-03-27CVE-2026-33205: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery…
PriorityP428medium5.5CVSS 3.1
AVLACLPRNUIRSUCHINAN
EPSS
0.17%
7.0th percentile
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| calibre-ebook | calibre | < 9.6.0 | 9.6.0 |
| debian | calibre | < calibre 9.6.0+ds+~0.10.5-1 (forky) | calibre 9.6.0+ds+~0.10.5-1 (forky) |
| kovidgoyal | calibre | < 9.6.0 | 9.6.0 |
| kovidgoyal | calibre | >= 0 < 9.6.0+ds+~0.10.5-1 | 9.6.0+ds+~0.10.5-1 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv4.04.8MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv4.8MEDIUM
vendor_debian4.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2026-33205: calibre - calibre is a cross-platform e-book manager for viewing, converting, editing, and...
vendor_debian·2026·CVSS 4.8
CVE-2026-33205 [MEDIUM] CVE-2026-33205: calibre - calibre is a cross-platform e-book manager for viewing, converting, editing, and...
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 9.6.0+ds+~0.10.5-1)
sid: resolved (fixed in 9.6.0+ds+~0.10.5-1)
trixie: open
OSV
CVE-2026-33205: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books
osv·2026-03-27·CVSS 4.8
CVE-2026-33205 [MEDIUM] CVE-2026-33205: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-33205 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-33205 [MEDIUM] CVE-2026-33205 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33205 :
NixOS vulnerability analysis and mitigation
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.
Source : NVD
## 4.8
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
NixOS
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected packages and libra
Bugzilla
CVE-2026-33205 calibre: server-side request forgery in ebook viewer backend [fedora-all]
bugzilla·2026-03-27·CVSS 4.8
CVE-2026-33205 [MEDIUM] CVE-2026-33205 calibre: server-side request forgery in ebook viewer backend [fedora-all]
CVE-2026-33205 calibre: server-side request forgery in ebook viewer backend [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-7de23151cd (calibre-9.6.0-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-7de23151cd
---
FEDORA-2026-9cc418c23e (calibre-9.6.0-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-9cc418c23e
---
FEDORA-2026-9cc418c23e has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sud
2026-03-27
Published