Vulnerability Description
calibre is an e-book manager. Prior to 9.2.0, Calibre's CHM reader contains a path traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows (haven't tested on other OS's), this can lead to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. This vulnerability is fixed in 9.2.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Calibre-Ebook | Calibre | < 9.2.0 |
Related Weaknesses (CWE)
References
- https://github.com/kovidgoyal/calibre/commit/9739232fcb029ac15dfe52ccd4fdb4a07ebPatch
- https://github.com/kovidgoyal/calibre/security/advisories/GHSA-32vh-whvh-9fxrExploitThird Party Advisory
- https://0x5t.raptx.org/posts/calibre-chm-rceExploitThird Party Advisory
FAQ
What is CVE-2026-25635?
CVE-2026-25635 is a vulnerability with a CVSS score of 8.6 (HIGH). calibre is an e-book manager. Prior to 9.2.0, Calibre's CHM reader contains a path traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows (haven'...
How severe is CVE-2026-25635?
CVE-2026-25635 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25635?
Check the references section above for vendor advisories and patch information. Affected products include: Calibre-Ebook Calibre.