{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25731", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T16:48:00.427Z", "datePublished": "2026-02-06T20:14:35.822Z", "dateUpdated": "2026-02-06T21:02:01.147Z"}, "containers": {"cna": {"title": "Calibre Affected by Arbitrary Code Execution via Server-Side Template Injection in Calibre HTML Export", "problemTypes": [{"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-xrh9-w7qx-3gcc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-xrh9-w7qx-3gcc"}, {"name": "https://github.com/kovidgoyal/calibre/commit/f0649b27512e987b95fcab2e1e0a3bcdafc23379", "tags": ["x_refsource_MISC"], "url": "https://github.com/kovidgoyal/calibre/commit/f0649b27512e987b95fcab2e1e0a3bcdafc23379"}], "affected": [{"vendor": "kovidgoyal", "product": "calibre", "versions": [{"version": "< 9.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T20:14:35.822Z"}, "descriptions": [{"lang": "en", "value": "calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0."}], "source": {"advisory": "GHSA-xrh9-w7qx-3gcc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T21:01:31.473045Z", "id": "CVE-2026-25731", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T21:02:01.147Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25731", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-06T21:01:31.473045Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T21:01:51.273Z"}}], "cna": {"title": "Calibre Affected by Arbitrary Code Execution via Server-Side Template Injection in Calibre HTML Export", "source": {"advisory": "GHSA-xrh9-w7qx-3gcc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kovidgoyal", "product": "calibre", "versions": [{"status": "affected", "version": "< 9.2.0"}]}], "references": [{"url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-xrh9-w7qx-3gcc", "name": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-xrh9-w7qx-3gcc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/kovidgoyal/calibre/commit/f0649b27512e987b95fcab2e1e0a3bcdafc23379", "name": "https://github.com/kovidgoyal/calibre/commit/f0649b27512e987b95fcab2e1e0a3bcdafc23379", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1336", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T20:14:35.822Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25731", "state": "PUBLISHED", "dateUpdated": "2026-02-06T21:02:01.147Z", "dateReserved": "2026-02-05T16:48:00.427Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T20:14:35.822Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:calibre-ebook:calibre:*:*:*:*:*:*:*:*", "matchCriteriaId": "264BDA56-70BE-4FCE-96AD-7F9D1BA0FB54", "versionEndExcluding": "9.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0."}, {"lang": "es", "value": "calibre es un gestor de libros electr\u00f3nicos. Antes de la versi\u00f3n 9.2.0, una vulnerabilidad de inyecci\u00f3n de plantillas del lado del servidor (SSTI) en el motor de plantillas Templite de Calibre permite la ejecuci\u00f3n de c\u00f3digo arbitrario cuando un usuario convierte un libro electr\u00f3nico utilizando un archivo de plantilla personalizado malicioso a trav\u00e9s de las opciones de l\u00ednea de comandos --template-html o --template-html-index. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 9.2.0."}], "id": "CVE-2026-25731", "lastModified": "2026-02-17T21:18:56.893", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-06T21:16:19.457", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/kovidgoyal/calibre/commit/f0649b27512e987b95fcab2e1e0a3bcdafc23379"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-xrh9-w7qx-3gcc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "calibre: Calibre: Arbitrary Code Execution via malicious custom template file during ebook conversion", "id": "2437917", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437917"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-917", "details": ["calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0.", "A flaw was found in Calibre, an e-book manager. This Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows an attacker to achieve arbitrary code execution. This occurs when a user converts an ebook using a specially crafted malicious custom template file, provided via the --template-html or --template-html-index command-line options. This could lead to a complete compromise of the affected system."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, users should avoid converting ebooks using untrusted or malicious custom template files with the `--template-html` or `--template-html-index` command-line options. Only use template files from trusted sources."}, "name": "CVE-2026-25731", "public_date": "2026-02-06T20:14:35Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25731\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25731\nhttps://github.com/kovidgoyal/calibre/commit/f0649b27512e987b95fcab2e1e0a3bcdafc23379\nhttps://github.com/kovidgoyal/calibre/security/advisories/GHSA-xrh9-w7qx-3gcc"], "statement": "This is an IMPORTANT arbitrary code execution vulnerability in Calibre's HTML export functionality. It occurs when a user processes an ebook with a specially crafted custom template file using the `--template-html` or `--template-html-index` command-line options. This issue affects Calibre versions prior to 9.2.0, as distributed in Fedora 42 and Fedora 43.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-17T22:27:55.518404+00:00", "value": {"mitigation_remediation": ["Upgrade Calibre to version 9.2.0 or later, which removes the vulnerable templating engine from the conversion process.", "If an update cannot be applied immediately, eliminate the use of the --template-html and --template-html-index options or restrict the template directory to trusted users only; alternatively, delete any malicious or unverified custom template files before conversion.", "Monitor Calibre activity for uncommon template parsing errors or execution of unexpected commands, and consider sandboxing the conversion process to contain any accidental code execution."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Code Execution via SSTI"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all Kalidgoyal Calibre releases prior to version 9.2.0. Users running Calibre installed from any source before this version are impacted. Updated binaries from Calibre 9.2.0 and later incorporate the fix that removes the vulnerable templating engine path.", "description_and_impact": "A Server-Side Template Injection flaw in Calibre\u2019s templating engine allows an attacker to embed and execute arbitrary code while converting an e\u2011book with custom template files supplied through the --template-html or --template-html-index command\u2011line options. The injection vulnerability means any code can be run in the context of the user running Calibre, potentially compromising the file system, exposing credentials, or installing persistent malware. The weakness is classified as SSTI (CWE\u20111336) and involves incorrect template handling (CWE\u2011917).", "risk_and_exploitability": "The CVSS score of 7.8 indicates high severity. EPSS is below 1\u202f%, signifying a currently low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to deliver a malicious template file to a user who executes a conversion with the vulnerable options, so the attack vector is most likely local. In environments where users have command\u2011line or scripting access to Calibre, the risk escalates because an attacker could supply a crafted template without further interaction. The confirmed fix is limited to version 9.2.0 and newer; no publicly documented exploits exist yet, but the potential for abuse remains."}}}}, "created": "2026-02-09T10:49:44.954935+00:00", "updated": "2026-04-17T22:30:29.598833+00:00", "vendors": ["kovidgoyal", "kovidgoyal$PRODUCT$calibre"]}