CVE-2026-33205

EUVD-2026-16610
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
Affected Products (NVD)
VendorProductVersion
calibre-ebookcalibre
𝑥
< 9.6.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
calibre
bookworm
no-dsa
bullseye
vulnerable
bullseye (security)
vulnerable
forky
9.8.0+ds+~0.10.5-1
fixed
sid
9.8.0+ds+~0.10.5-1
fixed
trixie
no-dsa
Common Weakness Enumeration
References
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v