CVE-2026-27810

EUVD-2026-9056

27.02.2026, 20:21

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Server allows any authenticated user to inject arbitrary HTTP headers into server responses via an unsanitized `content_disposition` query parameter in the `/get/` and `/data-files/get/` endpoints. All users running the calibre Content Server with authentication enabled are affected. The vulnerability is exploitable by any authenticated user and can also be triggered by tricking an authenticated victim into clicking a crafted link. Version 9.4.0 contains a fix for the issue.

HTTP Request/Response Splitting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
calibre-ebook	calibre	𝑥 < 9.4.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

calibre

bookworm	no-dsa
bullseye	vulnerable
bullseye (security)	vulnerable
forky	9.7.0+ds+~0.10.5-2 fixed
sid	9.7.0+ds+~0.10.5-2 fixed
trixie	no-dsa

Known Exploits!

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-5fpj-fxw7-8grw

Common Weakness Enumeration

CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
The software receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

References

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-5fpj-fxw7-8grw