Skip to main content

Calibre CVE-2024-7009

HIGH
SQL Injection (CWE-89)
2024-08-06 info@starlabs.sg
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Aug 06, 2024 - 04:16 nvd
HIGH 7.1

DescriptionNVD

Unsanitized user-input in Calibre <= 7.15.0 allow users with permissions to perform full-text searches to achieve SQL injection on the SQLite database.

AnalysisAI

Unsanitized user-input in Calibre <= 7.15.0 allow users with permissions to perform full-text searches to achieve SQL injection on the SQLite database. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. Unsanitized user-input in Calibre <= 7.15.0 allow users with permissions to perform full-text searches to achieve SQL injection on the SQLite database. Affected products include: Calibre-Ebook Calibre.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2026-26064 HIGH POC
8.8 Feb 20

Remote code execution in Calibre 9.2.1 and earlier allows authenticated users to write arbitrary files via a path traver

CVE-2026-26065 HIGH POC
8.8 Feb 20

Calibre versions 9.2.1 and below allow authenticated users to write arbitrary files with any extension to any writable l

CVE-2026-25635 HIGH POC
8.6 Feb 06

Remote code execution in Calibre prior to version 9.2.0 through a path traversal flaw in the CHM reader allows local att

CVE-2026-25636 HIGH POC
8.2 Feb 06

Calibre 9.1.0 and earlier contains a path traversal vulnerability in EPUB conversion that allows malicious EPUB files to

CVE-2026-25731 HIGH POC
7.8 Feb 06

calibre is an e-book manager. [CVSS 7.8 HIGH]

CVE-2018-7889 HIGH POC
7.8 Mar 08

gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported bookmark data, which allows remote attacke

CVE-2024-6781 HIGH POC
7.5 Aug 06

Path traversal in Calibre <= 7.14.0 allow unauthenticated attackers to achieve arbitrary file read. Rated high severity

CVE-2023-46303 HIGH POC
7.5 Oct 22

link_to_local_path in ebooks/conversion/plugins/html_input.py in calibre before 6.19.0 can, by default, add resources ou

CVE-2021-44686 HIGH POC
7.5 Dec 07

calibre before 5.32.0 contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service) i

CVE-2026-27810 MEDIUM POC
6.4 Feb 27

HTTP response header injection in Calibre Content Server prior to version 9.4.0 permits authenticated users to inject ar

CVE-2024-7008 MEDIUM POC
6.1 Aug 06

Unsanitized user-input in Calibre <= 7.15.0 allow attackers to perform reflected cross-site scripting. Rated medium seve

CVE-2016-10187 MEDIUM POC
5.5 Mar 16

The E-book viewer in calibre before 2.75 allows remote attackers to read arbitrary files via a crafted epub file with Ja

Share

CVE-2024-7009 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy