Calibre, an e‑book manager, contains a path traversal flaw in its CHM reader that permits arbitrary file writes when a user opens a malicious CHM file. The weakness allows an attacker to place files, such as a malicious executable, in any location where the user has write permission. On Windows, an attacker can write a payload into the Startup folder, causing the payload to be executed the next time the user logs in. This vulnerability results in full code execution on the victim’s machine and disrupts system security and integrity. The weakness is classified as CWE‑22.

The vulnerable product is Calibre developed by Kovid Goyal. The issue is present in all releases prior to version 9.2.0. Users running any of those versions on operating systems that allow write access to arbitrary directories are at risk. The software appears in the Calibre‑ebook vendor entry in the Common Platform Enumeration database.

Based on the description, the likely attack vector is the local or remote delivery of a crafted CHM file, such as through phishing or compromised content stores. Once the file is parsed by Calibre, the attacker can write to locations under the user’s privilege. On Windows this enables remote code execution by persisting a payload in the Startup folder. The CVSS score of 8.6 signals a high severity of this flaw, while the EPSS score of less than 1 % indicates a low probability that the vulnerability will be actively exploited in the near term. The vulnerability has not yet appeared in the CISA KEV catalogue, so there are no publicly reported active exploits, but the high CVSS warrants proactive mitigation.