Description
calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0.
Published: 2026-02-06
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution via SSTI
Action: Immediate Patch
AI Analysis

Impact

A Server-Side Template Injection flaw in Calibre’s templating engine allows an attacker to embed and execute arbitrary code while converting an e‑book with custom template files supplied through the --template-html or --template-html-index command‑line options. The injection vulnerability means any code can be run in the context of the user running Calibre, potentially compromising the file system, exposing credentials, or installing persistent malware. The weakness is classified as SSTI (CWE‑1336) and involves incorrect template handling (CWE‑917).

Affected Systems

The vulnerability affects all Kalidgoyal Calibre releases prior to version 9.2.0. Users running Calibre installed from any source before this version are impacted. Updated binaries from Calibre 9.2.0 and later incorporate the fix that removes the vulnerable templating engine path.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. EPSS is below 1 %, signifying a currently low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to deliver a malicious template file to a user who executes a conversion with the vulnerable options, so the attack vector is most likely local. In environments where users have command‑line or scripting access to Calibre, the risk escalates because an attacker could supply a crafted template without further interaction. The confirmed fix is limited to version 9.2.0 and newer; no publicly documented exploits exist yet, but the potential for abuse remains.

Generated by OpenCVE AI on April 17, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Calibre to version 9.2.0 or later, which removes the vulnerable templating engine from the conversion process.
  • If an update cannot be applied immediately, eliminate the use of the --template-html and --template-html-index options or restrict the template directory to trusted users only; alternatively, delete any malicious or unverified custom template files before conversion.
  • Monitor Calibre activity for uncommon template parsing errors or execution of unexpected commands, and consider sandboxing the conversion process to contain any accidental code execution.

Generated by OpenCVE AI on April 17, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Calibre-ebook
Calibre-ebook calibre
CPEs cpe:2.3:a:calibre-ebook:calibre:*:*:*:*:*:*:*:*
Vendors & Products Calibre-ebook
Calibre-ebook calibre

Tue, 10 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-917
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Kovidgoyal
Kovidgoyal calibre
Vendors & Products Kovidgoyal
Kovidgoyal calibre

Fri, 06 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0.
Title Calibre Affected by Arbitrary Code Execution via Server-Side Template Injection in Calibre HTML Export
Weaknesses CWE-1336
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Calibre-ebook Calibre
Kovidgoyal Calibre
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T21:02:01.147Z

Reserved: 2026-02-05T16:48:00.427Z

Link: CVE-2026-25731

cve-icon Vulnrichment

Updated: 2026-02-06T21:01:51.273Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T21:16:19.457

Modified: 2026-02-17T21:18:56.893

Link: CVE-2026-25731

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-06T20:14:35Z

Links: CVE-2026-25731 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:30:29Z

Weaknesses