Janeczku Calibre-Web vulnerabilities
25 known vulnerabilities affecting janeczku/calibre-web.
Total CVEs
25
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL11HIGH2MEDIUM11LOW1
Vulnerabilities
Page 2 of 2
CVE-2021-3987P4MEDIUMCVSS 4.3fixed in 0.6.152024-11-15
CVE-2021-3987 [MEDIUM] CWE-284 CVE-2021-3987: An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows
An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the `create_shelf` method in `shelf.py` not verifying if the user has the necessary permissions to create a public shelf. This issue can lead to unauthorized a
nvd
CVE-2022-0405P4MEDIUMCVSS 4.3fixed in 0.6.162022-04-03
CVE-2022-0405 [MEDIUM] CWE-284 CVE-2022-0405: Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16.
Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16.
nvd
CVE-2022-0406P4MEDIUMCVSS 4.3fixed in 0.6.162022-04-03
CVE-2022-0406 [MEDIUM] CWE-285 CVE-2022-0406: Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16.
Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16.
nvd
CVE-2021-3986P4MEDIUMCVSS 4.3fixed in 0.6.152024-11-15
CVE-2021-3986 [MEDIUM] CWE-209 CVE-2021-3986: A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelv
A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book from a shelf they do not own. This vulnerability discloses private informat
nvd
CVE-2025-65858P4LOWCVSS 3.5v0.6.252025-12-02
CVE-2025-65858 [LOW] CWE-79 CVE-2025-65858: A Stored Cross-Site Scripting (XSS) vulnerability in Calibre-Web v0.6.25 allows attackers to inject
A Stored Cross-Site Scripting (XSS) vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed.
nvd
← Previous2 / 2