Path Traversal in Kovidgoyal Calibre

CVE-2026-26064

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (24.2th percentile) — read the EPSS interpretation.

Affected products

Kovidgoyal Calibre — versions < 9.3.0

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-72ch-3hqc-pgmp (x_refsource_CONFIRM)
https://github.com/kovidgoyal/calibre/commit/e1b5f9b45a5e8fa96c136963ad9a1d35e6adac62 (x_refsource_MISC)