Description
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.
Published: 2026-03-27
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Exposure
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a server‑side request forgery in the background‑image endpoint of calibre’s e‑book viewer. By sending a crafted request to this endpoint, an attacker can cause calibre to perform blind GET requests to arbitrary URLs from the device it runs on, enabling the exfiltration of data that the application can reach. This weakness, classified as CWE‑918, allows information disclosure beyond the intended sandbox of the e‑book.

Affected Systems

The issue affects the calibre e‑book manager developed by Kovidgoyal. All installations of calibre prior to version 9.6.0, regardless of operating system, are vulnerable because the flaw resides in the cross‑platform ebook viewer component. Users running 9.5.x or earlier remain at risk.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate risk, while the EPSS score of less than 1 % suggests a low probability of exploitation today. The recommendation is not listed in CISA’s KEV catalog. The description indicates that an attacker may trigger the SSRF by targeting the background‑image endpoint; however, the CVE entry does not specify the exact prerequisites or authentication required, so the precise attack surface is uncertain. Given the limited probability of exploitation and lack of public exploitation evidence, the threat is moderate but warrants timely remediation.

Generated by OpenCVE AI on March 31, 2026 at 06:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade calibre to version 9.6.0 or later.

Generated by OpenCVE AI on March 31, 2026 at 06:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Calibre-ebook
Calibre-ebook calibre
CPEs cpe:2.3:a:calibre-ebook:calibre:*:*:*:*:*:*:*:*
Vendors & Products Calibre-ebook
Calibre-ebook calibre
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Kovidgoyal
Kovidgoyal calibre
Vendors & Products Kovidgoyal
Kovidgoyal calibre

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.
Title calibre has Server-Side Request Forgery in ebook viewer backend
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Calibre-ebook Calibre
Kovidgoyal Calibre
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:58:43.747Z

Reserved: 2026-03-17T23:23:58.312Z

Link: CVE-2026-33205

cve-icon Vulnrichment

Updated: 2026-03-27T18:57:56.907Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T15:16:54.277

Modified: 2026-03-30T20:48:24.333

Link: CVE-2026-33205

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:01:18Z

Weaknesses