CVE-2026-25636

EUVD-2026-5597

06.02.2026, 21:16

calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.2 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
calibre-ebook	calibre	𝑥 < 9.2.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

calibre

bookworm	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	9.6.0+ds+~0.10.5-5 fixed
sid	9.6.0+ds+~0.10.5-6 fixed
trixie	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

calibre

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage
xenial	needs-triage

Known Exploits!

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://github.com/kovidgoyal/calibre/commit/9484ea82c6ab226c18e6ca5aa000fa16de598726

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-8r26-m7j5-hm29

https://0x5t.raptx.org/posts/calibre-epub-rce