Platform
other
Component
calibre
Fixed in
9.2.1
A path traversal vulnerability has been identified in Calibre, an e-book manager, affecting versions up to 9.2.0. This flaw allows attackers to write arbitrary files within areas where the user has write permissions. On Windows systems, exploitation can lead to Remote Code Execution (RCE) by placing a malicious payload in the Startup folder, triggering execution upon the next login.
The primary impact of this vulnerability is the potential for Remote Code Execution on Windows systems. An attacker could craft a malicious file and leverage the path traversal flaw to write it to the user's Startup folder. Upon the next system login, this file would automatically execute, granting the attacker control over the affected machine. The blast radius extends to any user with write access to the vulnerable Calibre installation. While testing was limited to Windows, the potential for file writes exists on other operating systems, though RCE may not be directly achievable without further exploitation.
This vulnerability was publicly disclosed on 2026-02-06. No public proof-of-concept (PoC) code has been released as of this writing. The CVSS score of 8.6 (HIGH) indicates a significant risk. It is not currently listed on CISA KEV. Active exploitation is not confirmed, but the ease of exploitation and potential for RCE warrant careful attention.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade Calibre to version 9.2.0 or later, which addresses this vulnerability. If upgrading is not immediately feasible, consider restricting write access to the Calibre installation directory to prevent unauthorized file modifications. While a direct WAF rule is unlikely to be effective, monitoring file system activity for unexpected file creations within the Calibre directory, particularly in the Startup folder on Windows, can provide an early warning. There are no specific Sigma or YARA patterns available at this time.
Actualice Calibre a la versión 9.2.0 o superior. Esta versión corrige la vulnerabilidad de path traversal que permite la escritura arbitraria de archivos. La actualización se puede realizar a través del gestor de paquetes o descargando la nueva versión desde el sitio web oficial.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25635 is a Path Traversal vulnerability in Calibre e-book manager versions up to 9.2.0, allowing attackers to write arbitrary files and potentially achieve Remote Code Execution.
You are affected if you are using Calibre version 9.2.0 or earlier. Upgrade to 9.2.0 to resolve the vulnerability.
Upgrade Calibre to version 9.2.0 or later. If upgrading is not possible, restrict write access to the Calibre installation directory.
Active exploitation is not currently confirmed, but the vulnerability's severity and potential impact warrant caution.
Refer to the Calibre project's official website and security advisories for the latest information on CVE-2026-25635.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.