Description
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith('Pictures'), and does not sanitize '..' sequences. calibre's own ZipFile.extractall() in utils/zipfile.py does sanitize '..' via _get_targetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0.
Published: 2026-02-20
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write with Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The flaw lies in the extract_pictures function of calibre, which only verifies that file names begin with "Pictures" and fails to normalize or strip ".." sequences. An attacker can embed path traversal entries in a ZIP to overwrite any file in directories where calibre has write access. On Windows, writing a malicious payload to the Startup folder enables code execution the next time the user logs in. This provides uncontrolled file writes and, in the Windows scenario, remote code execution, making the vulnerability a high‑severity issue.

Affected Systems

Affected products are kovidgoyal’s calibre e‑book manager. Versions 9.2.1 and earlier are vulnerable. The developers addressed the issue in version 9.3.0, which removes the unsafe extract_pictures implementation.

Risk and Exploitability

CVSS scoring assigns 9.3, indicating critical severity, while the EPSS score is below 1%, implying a very low current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread active exploits. Nevertheless, successful exploitation requires only local interaction with calibre and sufficient file‑write permissions; on Windows the ability to place a payload in the Startup folder turns local access into remote code execution. The combination of high severity and the straightforward local attack path warrants urgent remediation.

Generated by OpenCVE AI on April 17, 2026 at 17:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade calibre to version 9.3.0 or newer to eliminate the vulnerable path traversal logic.
  • Restrict the application’s file‑system permissions, particularly on Windows, so it cannot write to the Startup folder or other sensitive directories.
  • If an upgrade cannot be applied immediately, disable or replace the extract_pictures feature with a safe ZIP extraction routine that normalizes paths before writing.

Generated by OpenCVE AI on April 17, 2026 at 17:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4554-1 calibre security update
History

Fri, 20 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Calibre-ebook
Calibre-ebook calibre
CPEs cpe:2.3:a:calibre-ebook:calibre:*:*:*:*:*:*:*:*
Vendors & Products Calibre-ebook
Calibre-ebook calibre
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Kovidgoyal
Kovidgoyal calibre
Vendors & Products Kovidgoyal
Kovidgoyal calibre

Fri, 20 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Description calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith('Pictures'), and does not sanitize '..' sequences. calibre's own ZipFile.extractall() in utils/zipfile.py does sanitize '..' via _get_targetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0.
Title calibre: Path Traversal Vulnerability Enables Arbitrary File Write and Remote Code Execution
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Calibre-ebook Calibre
Kovidgoyal Calibre
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:34:24.625Z

Reserved: 2026-02-10T18:01:31.900Z

Link: CVE-2026-26064

cve-icon Vulnrichment

Updated: 2026-02-20T15:29:12.668Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T02:16:52.703

Modified: 2026-02-20T16:53:32.203

Link: CVE-2026-26064

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:45:24Z

Weaknesses