CVE-2026-26065HIGH 8.8EPSS p39.9%

CVE-2026-26065CVE-2026-26065

Description

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 202-byte header variants) that allow arbitrary file writes with arbitrary extension and arbitrary content anywhere the user has write permissions. Files are written in 'wb' mode, silently overwriting existing files. This can lead to potential code execution and Denial of Service through file corruption. This issue has been fixed in version 9.3.0.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.52% probability of exploitation · percentile 39.9% · 2026-06-21T12:00:28Z
Published2026-02-20
Last modified2026-02-20

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/kovidgoyal/calibre/commit/b6da1c3878c06eb1356cb0ec1106cb66e0e9bfb8
  2. https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vmfh-7mr7-pp2w

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-25635
CVE
CVE-2026-30853
CVE
CVE-2026-26064
CVE
CVE-2025-69621
CVE
CVE-2025-7404
CVE
CVE-2026-6815
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.