EUVD-2026-16612Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre' handling of images in Markdown and other similar text-based files allowing an attacker to include arbitrary files from the file system into the converted book. Additionally, missing authentication and server-side request forgery in the background-image endpoint in the ebook reader web view allow the files to be exfiltrated without additional interaction. Version 9.6.0 contains a fix.
AnalysisAI
Calibre versions prior to 9.6.0 allow remote attackers to exfiltrate arbitrary files from the host system through a combination of path traversal in image handling during file conversion and unauthenticated server-side request forgery in the ebook reader web view's background-image endpoint. An attacker can craft a malicious markdown or text-based file that references files outside the intended directory, then retrieve those files through the unprotected background-image handler without authentication, enabling complete file system disclosure on systems running vulnerable Calibre instances.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Local attacker requires user interaction: victim must open a crafted Markdown or text-based e-book file in Calibre prior to version 9.6.0. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Although CVSS and EPSS scores are not provided in the available data, this vulnerability presents substantial real-world risk based on multiple factors: the attack vector is network-based requiring only file upload or conversion of a text file (low complexity), no authentication is explicitly required for the background-image endpoint (critical gap), and the technical impact is complete confidentiality breach (arbitrary file read). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious markdown file containing image references with path traversal sequences (e.g., '') and distributes it to a Calibre user via email or a shared document repository. When the user opens and converts the file in Calibre (a common and expected action), the path traversal flaw allows the conversion process to read the sensitive file from the system. … |
| Remediation | Upgrade Calibre to version 9.6.0 or later immediately, as this version contains the fix for both the path traversal and missing authentication issues. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running Calibre versions prior to 9.6.0 using asset inventory and network scanning. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Vendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today