Path Traversal in Kovidgoyal Calibre

CVE-2026-26065

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 202-byte header variants) that allow arbi…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (14.9th percentile) — read the EPSS interpretation.

Affected products

Kovidgoyal Calibre — versions < 9.3.0

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vmfh-7mr7-pp2w (x_refsource_CONFIRM)
https://github.com/kovidgoyal/calibre/commit/b6da1c3878c06eb1356cb0ec1106cb66e0e9bfb8 (x_refsource_MISC)