Description
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Server allows any authenticated user to inject arbitrary HTTP headers into server responses via an unsanitized `content_disposition` query parameter in the `/get/` and `/data-files/get/` endpoints. All users running the calibre Content Server with authentication enabled are affected. The vulnerability is exploitable by any authenticated user and can also be triggered by tricking an authenticated victim into clicking a crafted link. Version 9.4.0 contains a fix for the issue.
Published: 2026-02-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: HTTP Response Header Injection
Action: Apply Patch
AI Analysis

Impact

A flaw in the calibre Content Server allows an authenticated user to inject arbitrary HTTP response headers through an unsanitized content_disposition query parameter on the /get/ and /data-files/get/ endpoints. This can lead to HTTP header manipulation, potentially compromising the integrity of responses. The weakness is categorized as CWE‑113. The issue can be triggered by an authenticated victim clicking a crafted link, making it potentially exploitable in victim‑based scenarios.

Affected Systems

All users running calibre Content Server versions earlier than 9.4.0 with authentication enabled are affected. The vulnerability applies to every installation of the content server that exposes the default "content_disposition" parameter and has any form of user authentication configured. These deployments are produced by the vendor kovidgoyal and use the product calibre.

Risk and Exploitability

The vulnerability has a CVSS v3.1 score of 6.4, indicating a moderate severity. Current EPSS data shows an exploitation probability of less than 1 %, suggesting a low likelihood of broad exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated session and manipulation of the content_disposition parameter, which can be achieved via a crafted URL.

Generated by OpenCVE AI on April 18, 2026 at 19:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade calibre to version 9.4.0 or later
  • If upgrading is not feasible, configure the Content Server (or web server proxy) to reject or strip the content_disposition query parameter from the /get/ and /data-files/get/ endpoints, thereby preventing header injection
  • Disable or protect the Content Server endpoints by applying stricter authentication controls or by removing public access to the /get/ and /data-files/get/ URLs

Generated by OpenCVE AI on April 18, 2026 at 19:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Calibre-ebook
Calibre-ebook calibre
CPEs cpe:2.3:a:calibre-ebook:calibre:*:*:*:*:*:*:*:*
Vendors & Products Calibre-ebook
Calibre-ebook calibre

Mon, 02 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Kovidgoyal
Kovidgoyal calibre
Vendors & Products Kovidgoyal
Kovidgoyal calibre

Fri, 27 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Server allows any authenticated user to inject arbitrary HTTP headers into server responses via an unsanitized `content_disposition` query parameter in the `/get/` and `/data-files/get/` endpoints. All users running the calibre Content Server with authentication enabled are affected. The vulnerability is exploitable by any authenticated user and can also be triggered by tricking an authenticated victim into clicking a crafted link. Version 9.4.0 contains a fix for the issue.
Title calibre Vulnerable to HTTP Response Header Injection
Weaknesses CWE-113
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Calibre-ebook Calibre
Kovidgoyal Calibre
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T12:53:36.368Z

Reserved: 2026-02-24T02:31:33.267Z

Link: CVE-2026-27810

cve-icon Vulnrichment

Updated: 2026-03-02T12:53:32.292Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T20:21:39.780

Modified: 2026-03-04T16:40:42.740

Link: CVE-2026-27810

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:45:08Z

Weaknesses