CVE-2026-26065
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 202-byte header variants) that allow arbitrary file writes with arbitrary extension and arbitrary content anywhere the user has write permissions. Files are written in 'wb' mode, silently overwriting existing files. This can lead to potential code execution and Denial of Service through file corruption. This issue has been fixed in version 9.3.0.
Analysis
Calibre versions 9.2.1 and below allow authenticated users to write arbitrary files with any extension to any writable location via path traversal in PDB file readers, potentially enabling code execution or system compromise through file overwriting. The vulnerability affects both 132-byte and 202-byte PDB header variants and silently overwrites existing files without warning. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running Calibre and assess business criticality. Within 7 days: Apply vendor patch to all Calibre installations, prioritizing systems handling sensitive e-books or integrated with critical workflows. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today