CVE-2026-26065

moderate-risk

Published 2026-02-20

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 202-byte header variants) that allow arbitrary file writes with arbitrary extension and arbitrary content anywhere the user has write permissions. Files are written in 'wb' mode, silently overwriting existing files. This can lead to potential code execution and Denial of Service through file corruption. This issue has been fixed in version 9.3.0.

Do I need to act?

0.04% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (1)

Calibre

Affected Vendors

Calibre-Ebook

References (2)

Patch https://github.com/kovidgoyal/calibre/commit/b6da1c3878c06eb1356cb0ec1106cb66e0e...

Exploit https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vmfh-7mr7-pp2w

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal