{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25636", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-04T05:15:41.790Z", "datePublished": "2026-02-06T20:07:40.529Z", "dateUpdated": "2026-02-11T14:51:19.827Z"}, "containers": {"cna": {"title": "calibre has a Path Traversal Leading to Arbitrary File Corruption and Code Execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-73", "lang": "en", "description": "CWE-73: External Control of File Name or Path", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-8r26-m7j5-hm29", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-8r26-m7j5-hm29"}, {"name": "https://github.com/kovidgoyal/calibre/commit/9484ea82c6ab226c18e6ca5aa000fa16de598726", "tags": ["x_refsource_MISC"], "url": "https://github.com/kovidgoyal/calibre/commit/9484ea82c6ab226c18e6ca5aa000fa16de598726"}], "affected": [{"vendor": "kovidgoyal", "product": "calibre", "versions": [{"version": "< 9.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T20:07:40.529Z"}, "descriptions": [{"lang": "en", "value": "calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0."}], "source": {"advisory": "GHSA-8r26-m7j5-hm29", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T15:19:25.611213Z", "id": "CVE-2026-25636", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:28:11.765Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-11T14:51:19.827Z"}, "references": [{"url": "https://0x5t.raptx.org/posts/calibre-epub-rce"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://0x5t.raptx.org/posts/calibre-epub-rce"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-11T14:51:19.827Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25636", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-09T15:19:25.611213Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:19:26.244Z"}}], "cna": {"title": "calibre has a Path Traversal Leading to Arbitrary File Corruption and Code Execution", "source": {"advisory": "GHSA-8r26-m7j5-hm29", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "kovidgoyal", "product": "calibre", "versions": [{"status": "affected", "version": "< 9.2.0"}]}], "references": [{"url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-8r26-m7j5-hm29", "name": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-8r26-m7j5-hm29", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/kovidgoyal/calibre/commit/9484ea82c6ab226c18e6ca5aa000fa16de598726", "name": "https://github.com/kovidgoyal/calibre/commit/9484ea82c6ab226c18e6ca5aa000fa16de598726", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73: External Control of File Name or Path"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T20:07:40.529Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25636", "state": "PUBLISHED", "dateUpdated": "2026-02-11T14:51:19.827Z", "dateReserved": "2026-02-04T05:15:41.790Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T20:07:40.529Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:calibre-ebook:calibre:*:*:*:*:*:*:*:*", "matchCriteriaId": "264BDA56-70BE-4FCE-96AD-7F9D1BA0FB54", "versionEndExcluding": "9.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0."}, {"lang": "es", "value": "calibre es un gestor de libros electr\u00f3nicos. En 9.1.0 y versiones anteriores, una vulnerabilidad de salto de ruta en la conversi\u00f3n de EPUB de Calibre permite que un archivo EPUB malicioso corrompa archivos existentes arbitrarios escribibles por el proceso de Calibre. Durante la conversi\u00f3n, Calibre resuelve la URI de CipherReference de META-INF/encryption.xml a una ruta de sistema de archivos absoluta y lo abre en modo de lectura-escritura, incluso cuando apunta fuera del directorio de extracci\u00f3n de la conversi\u00f3n. Esta vulnerabilidad est\u00e1 corregida en 9.2.0."}], "id": "CVE-2026-25636", "lastModified": "2026-02-17T21:23:11.340", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-06T21:16:18.833", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/kovidgoyal/calibre/commit/9484ea82c6ab226c18e6ca5aa000fa16de598726"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-8r26-m7j5-hm29"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://0x5t.raptx.org/posts/calibre-epub-rce"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}, {"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "calibre: Calibre: Arbitrary file corruption via path traversal in EPUB conversion", "id": "2437730", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437730"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H", "status": "draft"}, "details": ["calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0.", "A flaw was found in Calibre, an e-book manager. This path traversal vulnerability allows a malicious EPUB (electronic publication) file to corrupt arbitrary files on the system that the Calibre process has write access to. During EPUB conversion, Calibre incorrectly resolves file paths, enabling an attacker to write to locations outside the intended conversion directory. This can lead to significant data integrity issues and potential denial of service."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, users should avoid processing untrusted EPUB files with Calibre. If Calibre is not required, consider removing the package to eliminate the attack surface."}, "name": "CVE-2026-25636", "public_date": "2026-02-06T20:07:40Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25636\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25636\nhttps://github.com/kovidgoyal/calibre/commit/9484ea82c6ab226c18e6ca5aa000fa16de598726\nhttps://github.com/kovidgoyal/calibre/security/advisories/GHSA-8r26-m7j5-hm29"], "statement": "This IMPORTANT vulnerability in Calibre allows a malicious EPUB file to corrupt arbitrary files and potentially execute code due to a path traversal flaw during EPUB conversion. This affects Calibre versions 9.1.0 and earlier, including those shipped in Red Hat Community Projects like Fedora 42 and 43. Exploitation requires processing a specially crafted EPUB file.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T18:22:32.352214+00:00", "value": {"mitigation_remediation": ["Upgrade to calibre 9.2.0 or later to apply the fix for the path traversal vulnerability.", "Run Calibre under a user account with minimal write permissions, restricting its ability to modify system or application files outside its working directory.", "Avoid converting EPUB files from untrusted sources or perform the conversion inside a sandboxed environment until a patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Corruption and Code Execution"}, "threat_synthesis": {"affected_systems": "Versions of the calibre e\u2011book manager 9.1.0 and earlier by Kovid Goyal are affected. The issue is fixed in calibre 9.2.0 and later releases.", "description_and_impact": "A path traversal flaw in Calibre\u2019s EPUB conversion process allows a malicious EPUB to resolve a CipherReference URI to an absolute path on the filesystem. When the file points outside the extraction directory, Calibre opens it in read\u2011write mode, enabling the attacker to corrupt any writable file. Depending on the file overwritten, this can lead to service disruption or execution of arbitrary code. The weakness corresponds to Path Traversal, Absolute Path Traversal, and Code Injection.", "risk_and_exploitability": "The vulnerability\u2019s CVSS score of 8.2 indicates high severity, but its EPSS score of less than 1% suggests low current exploitation probability. It is not listed in the CISA KEV catalog. An attacker would supply a crafted EPUB file to the user\u2019s Calibre instance; the exploit relies on write permissions granted to the Calibre process and the presence of a target file that can be overwritten. If successful, the attacker could corrupt configuration files, and based on the vulnerability\u2019s ability to overwrite arbitrary files, it is inferred that replacement of executable binaries or broader host compromise might also be possible."}}}}, "created": "2026-02-09T10:50:16.604158+00:00", "updated": "2026-04-18T18:30:07.283082+00:00", "vendors": ["kovidgoyal", "kovidgoyal$PRODUCT$calibre"]}