CVE-2026-33206 — Relative Path Traversal in Calibre

CWE-23 — Relative Path Traversal5 documents5 sources

Severity

8.2HIGHNVD

EPSS

0.0%

top 97.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kovidgoyal Calibre Calibre-ebook Calibre Debian Calibre

Timeline

PublishedMar 27

Description

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre' handling of images in Markdown and other similar text-based files allowing an attacker to include arbitrary files from the file system into the converted book. Additionally, missing authentication and server-side request forgery in the background-image endpoint in the ebook reader web view allow the files to be exfiltrated …

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Affected Packages4 packages

▶NVDcalibre-ebook/calibre< 9.6.0

▶debiandebian/calibre< calibre 9.6.0+ds+~0.10.5-1 (forky)

▶CVEListV5kovidgoyal/calibre< 9.6.0

▶Debiankovidgoyal/calibre< 9.6.0+ds+~0.10.5-1

🔴Vulnerability Details

OSV

CVE-2026-33206: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books↗2026-03-27

▶

📋Vendor Advisories

Debian

CVE-2026-33206: calibre - calibre is a cross-platform e-book manager for viewing, converting, editing, and...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33206 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-33206 calibre: path traversal allows reading arbitrary files when converting a text-based file [fedora-all]↗2026-03-27

▶