Home

Description

calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0.

PUBLISHED Reserved 2026-02-04 | Published 2026-02-06 | Updated 2026-02-11 | Assigner GitHub_M




HIGH: 8.2CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-73: External Control of File Name or Path

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

< 9.2.0
affected

References

0x5t.raptx.org/posts/calibre-epub-rce

github.com/...alibre/security/advisories/GHSA-8r26-m7j5-hm29

github.com/...ommit/9484ea82c6ab226c18e6ca5aa000fa16de598726

cve.org (CVE-2026-25636)

nvd.nist.gov (CVE-2026-25636)

Download JSON