Skip to main content

Calibre CVE-2024-7008

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-08-06 info@starlabs.sg
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Aug 06, 2024 - 04:16 nvd
MEDIUM 6.1

DescriptionNVD

Unsanitized user-input in Calibre <= 7.15.0 allow attackers to perform reflected cross-site scripting.

AnalysisAI

Unsanitized user-input in Calibre <= 7.15.0 allow attackers to perform reflected cross-site scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Unsanitized user-input in Calibre <= 7.15.0 allow attackers to perform reflected cross-site scripting. Affected products include: Calibre-Ebook Calibre.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2026-26064 HIGH POC
8.8 Feb 20

Remote code execution in Calibre 9.2.1 and earlier allows authenticated users to write arbitrary files via a path traver

CVE-2026-26065 HIGH POC
8.8 Feb 20

Calibre versions 9.2.1 and below allow authenticated users to write arbitrary files with any extension to any writable l

CVE-2026-25635 HIGH POC
8.6 Feb 06

Remote code execution in Calibre prior to version 9.2.0 through a path traversal flaw in the CHM reader allows local att

CVE-2026-25636 HIGH POC
8.2 Feb 06

Calibre 9.1.0 and earlier contains a path traversal vulnerability in EPUB conversion that allows malicious EPUB files to

CVE-2026-25731 HIGH POC
7.8 Feb 06

calibre is an e-book manager. [CVSS 7.8 HIGH]

CVE-2018-7889 HIGH POC
7.8 Mar 08

gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported bookmark data, which allows remote attacke

CVE-2024-6781 HIGH POC
7.5 Aug 06

Path traversal in Calibre <= 7.14.0 allow unauthenticated attackers to achieve arbitrary file read. Rated high severity

CVE-2023-46303 HIGH POC
7.5 Oct 22

link_to_local_path in ebooks/conversion/plugins/html_input.py in calibre before 6.19.0 can, by default, add resources ou

CVE-2021-44686 HIGH POC
7.5 Dec 07

calibre before 5.32.0 contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service) i

CVE-2024-7009 HIGH POC
7.1 Aug 06

Unsanitized user-input in Calibre <= 7.15.0 allow users with permissions to perform full-text searches to achieve SQL in

CVE-2026-27810 MEDIUM POC
6.4 Feb 27

HTTP response header injection in Calibre Content Server prior to version 9.4.0 permits authenticated users to inject ar

CVE-2016-10187 MEDIUM POC
5.5 Mar 16

The E-book viewer in calibre before 2.75 allows remote attackers to read arbitrary files via a crafted epub file with Ja

Share

CVE-2024-7008 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy