Vulnerability Description
calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Calibre-Ebook | Calibre | < 9.2.0 |
Related Weaknesses (CWE)
References
- https://github.com/kovidgoyal/calibre/commit/9484ea82c6ab226c18e6ca5aa000fa16de5Patch
- https://github.com/kovidgoyal/calibre/security/advisories/GHSA-8r26-m7j5-hm29ExploitThird Party Advisory
- https://0x5t.raptx.org/posts/calibre-epub-rceExploitThird Party Advisory
FAQ
What is CVE-2026-25636?
CVE-2026-25636 is a vulnerability with a CVSS score of 8.2 (HIGH). calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre...
How severe is CVE-2026-25636?
CVE-2026-25636 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25636?
Check the references section above for vendor advisories and patch information. Affected products include: Calibre-Ebook Calibre.