CVE-2026-25635 | THREATINT

Description

calibre is an e-book manager. Prior to 9.2.0, Calibre's CHM reader contains a path traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows (haven't tested on other OS's), this can lead to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. This vulnerability is fixed in 9.2.0.

PUBLISHED Reserved 2026-02-04 | Published 2026-02-06 | Updated 2026-02-11 | Assigner GitHub_M

HIGH: 8.6CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

< 9.2.0

affected

References

0x5t.raptx.org/posts/calibre-chm-rce

github.com/...alibre/security/advisories/GHSA-32vh-whvh-9fxr

github.com/...ommit/9739232fcb029ac15dfe52ccd4fdb4a07ebb6ce9

cve.org (CVE-2026-25635)

nvd.nist.gov (CVE-2026-25635)

Download JSON