What is the CVSS score of CVE-2026-26064?

CVE-2026-26064 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Windows are affected by CVE-2026-26064?

Calibre versions 9.2.1 and below contain a critical path traversal vulnerability (CVE-2026-26064) that enables attackers to write arbitrary files to any location where the application has write…. A patch is available.

Is there a public PoC exploit available for CVE-2026-26064?

Yes, a public proof-of-concept exploit is available for CVE-2026-26064. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-26064?

Within 24 hours: Identify all systems running Calibre 9.2.1 or below and assess their network exposure and user access levels. Within 7 days: Apply the available vendor patch to all affected instances and verify successful deployment. Within 30 days: Conduct a security audit to confirm patch compliance across the environment and review access logs for any suspicious file write activities during the vulnerability window.

Windows CVE-2026-26064

HIGH

Path Traversal (CWE-22)

2026-02-20 security-advisories@github.com

Windows RCE Path Traversal Calibre Suse

8.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SUSE

HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:04 vuln.today

PoC Detected

Feb 20, 2026 - 16:53 vuln.today

Public exploit code

Patch released

Feb 20, 2026 - 16:53 nvd

Patch available

CVE Published

Feb 20, 2026 - 02:16 nvd

HIGH 8.8

DescriptionGitHub Advisory

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith('Pictures'), and does not sanitize '..' sequences. calibre's own ZipFile.extractall() in utils/zipfile.py does sanitize '..' via _get_targetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0.

AnalysisAI

Remote code execution in Calibre 9.2.1 and earlier allows authenticated users to write arbitrary files via a path traversal flaw in the extract_pictures() function that fails to properly sanitize directory traversal sequences. On Windows systems, attackers can exploit this to write malicious payloads to the Startup folder, achieving code execution upon the next user login. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Upload malicious ZIP with traversal paths

Exploit

extract_pictures() bypasses sanitization

Execution

Write payload to Windows Startup folder

Impact

Payload executes on next user login

Access

Upload malicious ZIP with traversal paths

Exploit

extract_pictures() bypasses sanitization

Execution

Write payload to Windows Startup folder

Impact

Payload executes on next user login

Vulnerability AssessmentAI

Exploitation	Authenticated user account required (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A remote attacker could exploit this flaw, Remote Code Execution by writing a payload to the Startup fo.
Remediation	A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Calibre 9.2.1 or below and assess their network exposure and user access levels. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-12440 CRITICAL Act Now

9.6 Jun 17

Use after free in DigitalCredentials in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to po

CVE-2026-12466 HIGH This Week

8.8 Jun 17

Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute

CVE-2026-12437 HIGH This Week

8.3 Jun 17

Use after free in WebShare in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker who had comprom

CVE-2026-12449 HIGH This Week

7.8 Jun 17

Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-

CVE-2026-12461 MEDIUM This Month

6.5 Jun 17

Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain pot

Vendor StatusVendor

SUSE

Severity: High

CVE-2026-26064 vulnerability details – vuln.today

Back

Windows CVE-2026-26064

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code