SSRF in Kovidgoyal Calibre

CVE-2026-33205

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view a…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (6.5th percentile) — read the EPSS interpretation.

Affected products

Kovidgoyal Calibre — versions < 9.6.0

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v (x_refsource_CONFIRM)