Description
calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0.
Published: 2026-02-06
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Corruption and Code Execution
Action: Immediate Patch
AI Analysis

Impact

A path traversal flaw in Calibre’s EPUB conversion process allows a malicious EPUB to resolve a CipherReference URI to an absolute path on the filesystem. When the file points outside the extraction directory, Calibre opens it in read‑write mode, enabling the attacker to corrupt any writable file. Depending on the file overwritten, this can lead to service disruption or execution of arbitrary code. The weakness corresponds to Path Traversal, Absolute Path Traversal, and Code Injection.

Affected Systems

Versions of the calibre e‑book manager 9.1.0 and earlier by Kovid Goyal are affected. The issue is fixed in calibre 9.2.0 and later releases.

Risk and Exploitability

The vulnerability’s CVSS score of 8.2 indicates high severity, but its EPSS score of less than 1% suggests low current exploitation probability. It is not listed in the CISA KEV catalog. An attacker would supply a crafted EPUB file to the user’s Calibre instance; the exploit relies on write permissions granted to the Calibre process and the presence of a target file that can be overwritten. If successful, the attacker could corrupt configuration files, and based on the vulnerability’s ability to overwrite arbitrary files, it is inferred that replacement of executable binaries or broader host compromise might also be possible.

Generated by OpenCVE AI on April 18, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to calibre 9.2.0 or later to apply the fix for the path traversal vulnerability.
  • Run Calibre under a user account with minimal write permissions, restricting its ability to modify system or application files outside its working directory.
  • Avoid converting EPUB files from untrusted sources or perform the conversion inside a sandboxed environment until a patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4554-1 calibre security update
History

Tue, 17 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Calibre-ebook
Calibre-ebook calibre
CPEs cpe:2.3:a:calibre-ebook:calibre:*:*:*:*:*:*:*:*
Vendors & Products Calibre-ebook
Calibre-ebook calibre

Wed, 11 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 10 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Kovidgoyal
Kovidgoyal calibre
Vendors & Products Kovidgoyal
Kovidgoyal calibre

Fri, 06 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0.
Title calibre has a Path Traversal Leading to Arbitrary File Corruption and Code Execution
Weaknesses CWE-22
CWE-73
CWE-94
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H'}

Subscriptions

Calibre-ebook Calibre
Kovidgoyal Calibre
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-11T14:51:19.827Z

Reserved: 2026-02-04T05:15:41.790Z

Link: CVE-2026-25636

cve-icon Vulnrichment

Updated: 2026-02-11T14:51:19.827Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T21:16:18.833

Modified: 2026-02-17T21:23:11.340

Link: CVE-2026-25636

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-06T20:07:40Z

Links: CVE-2026-25636 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:30:07Z

Weaknesses