Platform
other
Component
calibre
Fixed in
9.2.1
CVE-2026-25636 describes a Path Traversal vulnerability discovered in Calibre, an e-book manager. This flaw allows a specially crafted EPUB file to corrupt arbitrary files accessible to the Calibre process, potentially leading to data loss or system compromise. The vulnerability impacts versions of Calibre up to and including 9.2.0, and a fix is available in version 9.2.0.
An attacker could exploit this vulnerability by crafting a malicious EPUB file. When Calibre attempts to convert this file, the vulnerability allows the attacker to specify an arbitrary file path outside of the intended conversion directory. Calibre then opens this file in read-write mode, enabling the attacker to overwrite or delete existing files. The potential impact ranges from data corruption within the Calibre library to broader system compromise if Calibre runs with elevated privileges. This is particularly concerning for users who manage sensitive e-books or use Calibre on shared systems.
This vulnerability was publicly disclosed on 2026-02-06. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature suggests a relatively low barrier to exploitation. It is not currently listed on the CISA KEV catalog. The EPSS score is pending evaluation.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25636 is to upgrade Calibre to version 9.2.0 or later, which contains the fix. If upgrading is not immediately feasible, consider restricting the types of EPUB files accepted from untrusted sources. Implement a strict file extension whitelist to prevent the processing of potentially malicious files. Monitor Calibre's file system access logs for unusual activity, particularly writes to unexpected locations. After upgrading, confirm the fix by attempting to convert a test EPUB file with a deliberately malformed CipherReference URI; the conversion should fail with an appropriate error message.
Actualice Calibre a la versión 9.2.0 o posterior. Esta actualización corrige la vulnerabilidad de path traversal que permite la corrupción de archivos arbitrarios y la ejecución de código. Descargue la versión más reciente desde el sitio web oficial de Calibre.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25636 is a Path Traversal vulnerability in Calibre e-book manager, allowing malicious EPUB files to corrupt files. It affects versions up to 9.2.0.
Yes, if you are using Calibre version 9.2.0 or earlier, you are affected by this vulnerability.
Upgrade Calibre to version 9.2.0 or later to resolve this vulnerability. Consider restricting file types from untrusted sources as an interim measure.
There are no confirmed reports of active exploitation at this time, but the vulnerability's nature suggests a potential for exploitation.
Refer to the Calibre project's official website and security advisories for the latest information: https://calibre-ebook.com/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.