CVE-2026-27810

low-risk

Published 2026-02-27

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Server allows any authenticated user to inject arbitrary HTTP headers into server responses via an unsanitized `content_disposition` query parameter in the `/get/` and `/data-files/get/` endpoints. All users running the calibre Content Server with authentication enabled are affected. The vulnerability is exploitable by any authenticated user and can also be triggered by tricking an authenticated victim into clicking a crafted link. Version 9.4.0 contains a fix for the issue.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.4/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Calibre

Affected Vendors

Calibre-Ebook

References (1)

Exploit https://github.com/kovidgoyal/calibre/security/advisories/GHSA-5fpj-fxw7-8grw

/ 100

low-risk

Severity 24/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal