How to fix CVE-2026-26064?

Within 24 hours: Identify all systems running Calibre 9.2.1 or below and assess their network exposure and user access levels. Within 7 days: Apply the available vendor patch to all affected instances and verify successful deployment. Within 30 days: Conduct a security audit to confirm patch compliance across the environment and review access logs for any suspicious file write activities during the vulnerability window.

Is Windows affected by CVE-2026-26064?

Calibre versions 9.2.1 and below contain a critical path traversal vulnerability (CVE-2026-26064) that enables attackers to write arbitrary files to any location where the application has write permissions, potentially compromising system integrity and data security.

CVE-2026-26064

HIGH

2026-02-20 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:04 vuln.today

PoC Detected

Feb 20, 2026 - 16:53 vuln.today

Public exploit code

Patch Released

Feb 20, 2026 - 16:53 nvd

Patch available

CVE Published

Feb 20, 2026 - 02:16 nvd

HIGH 8.8

Description

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith('Pictures'), and does not sanitize '..' sequences. calibre's own ZipFile.extractall() in utils/zipfile.py does sanitize '..' via _get_targetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0.

Analysis

Remote code execution in Calibre 9.2.1 and earlier allows authenticated users to write arbitrary files via a path traversal flaw in the extract_pictures() function that fails to properly sanitize directory traversal sequences. On Windows systems, attackers can exploit this to write malicious payloads to the Startup folder, achieving code execution upon the next user login. …

Remediation

Within 24 hours: Identify all systems running Calibre 9.2.1 or below and assess their network exposure and user access levels. Within 7 days: Apply the available vendor patch to all affected instances and verify successful deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +44

POC: +20

Vendor Status

CVE-2026-26064 vulnerability details – vuln.today

Back

CVE-2026-26064

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Vendor Status

Share

CVE-2026-26064

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Vendor Status

Share

External POC / Exploit Code