Skip to main content

Calibre CVE-2026-30853

| EUVD-2026-12069 MEDIUM
Path Traversal (CWE-22)
2026-03-13 GitHub_M
Path Traversal Calibre Red Hat Suse
5.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.0 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
SUSE
8.2 HIGH
AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
Red Hat
5.0 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
9.5.0
EUVD ID Assigned
Mar 13, 2026 - 20:00 euvd
EUVD-2026-12069
Analysis Generated
Mar 13, 2026 - 20:00 vuln.today
CVE Published
Mar 13, 2026 - 19:00 nvd
MEDIUM 5.0

DescriptionGitHub Advisory

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to 9.5.0, a path traversal vulnerability in the RocketBook (.rb) input plugin (src/calibre/ebooks/rb/reader.py) allows an attacker to write arbitrary files to any path writable by the calibre process when a user opens or converts a crafted .rb file. This is the same bug class fixed in CVE-2026-26065 for the PDB readers, but the fix was never applied to the RB reader. This vulnerability is fixed in 9.5.0.

AnalysisAI

Arbitrary file write vulnerability in Calibre's RocketBook input plugin enables attackers to write files to any location accessible by the Calibre process when a user opens or converts a malicious .rb file. The path traversal flaw affects versions prior to 9.5.0 and represents an unpatched instance of the same vulnerability class previously fixed in the PDB reader component. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS v3.1 score of 5.0 reflects a Medium severity rating with a local attack vector (AV:L), low attack complexity (AC:L), no privilege requirement (PR:N), and user interaction required (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious RocketBook (.rb) file containing path traversal sequences in file metadata or internal path references, such as '../../../etc/cron.d/malicious_task' or '../../.calibre/plugins/malware.py'. The attacker then distributes this file via email, a file-sharing platform, or e-book repository, claiming it contains legitimate content. …
Remediation Users should immediately upgrade calibre to version 9.5.0 or later, which includes the fix for the path traversal vulnerability in the RocketBook plugin. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-30853 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy