CVE-2026-30853 - Vulnerability Details

Description

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to 9.5.0, a path traversal vulnerability in the RocketBook (.rb) input plugin (src/calibre/ebooks/rb/reader.py) allows an attacker to write arbitrary files to any path writable by the calibre process when a user opens or converts a crafted .rb file. This is the same bug class fixed in CVE-2026-26065 for the PDB readers, but the fix was never applied to the RB reader. This vulnerability is fixed in 9.5.0.

Published: 2026-03-13

Score: 5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Calibre versions prior to 9.5.0 contain a path traversal flaw in the RocketBook (.rb) input plugin that allows an attacker to write arbitrary files to any location writable by the calibre process when a user opens or converts a crafted .rb file. This weakness, classified as CWE-22, enables malicious code to create or overwrite files, potentially compromising the confidentiality and integrity of the system or affecting exposed resources. The flaw does not provide remote code execution but can be used to write malicious binaries, configuration files, or other payloads that may be executed later by the user or privileged processes.

Affected Systems

The product affected is kovidgoyal:calibre, available as calibre-ebook:calibre. All releases before version 9.5.0 are vulnerable. The issue is present across all supported operating systems as calibre is cross-platform.

Risk and Exploitability

The CVSS score of 5 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user to open a specifically crafted .rb file, so the attack vector is local and user-interactive. While the impact is limited to environments where calibre runs with elevated or system-level privileges, the lack of remote exploitation reduces overall risk for typical deployments.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

kovidgoyal

calibre

affected

Version	Status	Constraints
`< 9.5.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:calibre-ebook:calibre:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Kovidgoyal

Calibre

100%

Version	Status	Scheme	Platform
`[0,9.5.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to calibre 9.5.0 or later.

Generated by OpenCVE AI on March 18, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-7mp7-rfrg-542x
https://nvd.nist.gov/vuln/detail/CVE-2026-30853
https://www.cve.org/CVERecord?id=CVE-2026-30853

History

Wed, 18 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Calibre-ebook Calibre-ebook calibre
CPEs		cpe:2.3:a:calibre-ebook:calibre::::::::
Vendors & Products		Calibre-ebook Calibre-ebook calibre

Mon, 16 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-30853 https://www.cve.org/CVERecord?id=CVE-2026-30853
Metrics	threat_severity `None`	threat_severity `Moderate`

Mon, 16 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kovidgoyal Kovidgoyal calibre
Vendors & Products		Kovidgoyal Kovidgoyal calibre

Fri, 13 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 13 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Description		calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to 9.5.0, a path traversal vulnerability in the RocketBook (.rb) input plugin (src/calibre/ebooks/rb/reader.py) allows an attacker to write arbitrary files to any path writable by the calibre process when a user opens or converts a crafted .rb file. This is the same bug class fixed in CVE-2026-26065 for the PDB readers, but the fix was never applied to the RB reader. This vulnerability is fixed in 9.5.0.
Title		calibre has a Path Traversal Leading to Arbitrary File Write
Weaknesses		CWE-22
References		https://github.com/kovidgoyal/calibre/security/advisories/GHSA-7mp7-rfrg-542x
Metrics		cvssV3_1 `{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L'}`

Subscriptions

Calibre-ebook Calibre

Kovidgoyal Calibre

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-13T19:00:09.925Z

Updated: 2026-03-13T19:42:26.573Z

Reserved: 2026-03-05T21:27:35.341Z

Link: CVE-2026-30853

Vulnrichment

Updated: 2026-03-13T19:42:23.416Z

NVD

Status : Analyzed

Published: 2026-03-13T19:54:35.077

Modified: 2026-03-18T14:01:22.710

Link: CVE-2026-30853

Redhat

Severity : Moderate

Publid Date: 2026-03-13T19:00:09Z

Links: CVE-2026-30853 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-23T13:40:23Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object