Description
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.
Published: 2026-03-27
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: Server‑Side Request Forgery enabling blind GET requests to arbitrary URLs
Action: Apply Patch
AI Analysis

Impact

The vulnerability is present in the background‑image endpoint of Calibre’s ebook viewer web backend. It allows a server‑side request forgery that enables an attacker to send blind GET requests to arbitrary external URLs from within the application, bypassing the restrictions of the ebook sandbox. This can result in the exfiltration of information such as metadata or internal data that the application may access.

Affected Systems

All releases of Calibre built by Kovid Goyal before version 9.6.0 are affected. The issue exists in the desktop distribution on any operating system supported by Calibre. Users who open e‑books that contain malicious content that references an arbitrary URL in the background‑image field are at risk.

Risk and Exploitability

The listed CVSS base score of 4.8 indicates medium severity. No EPSS score is available and the vulnerability is not in the KEV catalog. Exploitation requires an attacker to supply a malicious e‑book that a user opens in Calibre, which then triggers the vulnerable endpoint. The likely attack vector is user interaction with a crafted e‑book; this inference is drawn from the description of the background‑image endpoint. Because only the vulnerability exists when the application processes user‑supplied content, the probability of exploitation depends on the user opening such a book.

Generated by OpenCVE AI on March 27, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Calibre to version 9.6.0 or newer.

Generated by OpenCVE AI on March 27, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.
Title calibre has Server-Side Request Forgery in ebook viewer backend
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:58:43.747Z

Reserved: 2026-03-17T23:23:58.312Z

Link: CVE-2026-33205

cve-icon Vulnrichment

Updated: 2026-03-27T18:57:56.907Z

cve-icon NVD

Status : Received

Published: 2026-03-27T15:16:54.277

Modified: 2026-03-27T15:16:54.277

Link: CVE-2026-33205

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:28:49Z

Weaknesses