Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-26065

CVE-2026-26065: Calibre-ebook Path Traversal Vulnerability

CVE-2026-26065 is a path traversal flaw in Calibre-ebook versions 9.2.1 and below that enables arbitrary file writes, potentially leading to code execution. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-26065 Overview

CVE-2026-26065 is a critical Path Traversal vulnerability affecting Calibre, the popular cross-platform e-book manager used for viewing, converting, editing, and cataloging e-books. The vulnerability exists in the PDB (Palm Database) readers, specifically in both 132-byte and 202-byte header variants, allowing attackers to write arbitrary files with arbitrary extensions and content to any location where the user has write permissions.

The vulnerability enables malicious actors to craft specially formatted PDB e-book files that, when processed by Calibre, can write files outside the intended extraction directory. Files are written in binary write mode (wb), which silently overwrites existing files without warning, significantly increasing the potential for damage.

Critical Impact

This vulnerability allows arbitrary file writes that can lead to code execution through overwriting critical system or application files, and Denial of Service through corruption of important files on the victim's system.

Affected Products

  • Calibre versions 9.2.1 and below
  • All platforms (Windows, macOS, Linux) running vulnerable Calibre versions
  • Systems processing untrusted PDB e-book files

Discovery Timeline

  • 2026-02-20 - CVE-2026-26065 published to NVD
  • 2026-02-20 - Last updated in NVD database

Technical Details for CVE-2026-26065

Vulnerability Analysis

This Path Traversal vulnerability (CWE-22) exists in Calibre's PDB reader components. The flaw stems from inadequate validation of file paths extracted from PDB e-book metadata. When processing image files embedded within PDB format e-books, the application fails to properly sanitize filenames, allowing directory traversal sequences (such as ../) to escape the intended extraction container.

The vulnerability affects two distinct reader implementations: reader132.py for 132-byte PDB headers and reader202.py for 202-byte headers. Both implementations suffered from the same fundamental flaw—trusting user-controlled filename data from the PDB file structure without proper path validation.

The local attack vector requires user interaction, as a victim must open a maliciously crafted PDB file. However, given Calibre's widespread use for managing e-book libraries and its integration with various e-book sources, the attack surface is significant.

Root Cause

The root cause is insufficient input validation in the PDB image extraction routines. When extracting images from PDB files, the vulnerable code directly used the image name from the file metadata to construct the output path without verifying that the resulting path remained within the intended output directory. This allowed attackers to include path traversal sequences in image names, causing files to be written to arbitrary locations.

Attack Vector

An attacker can exploit this vulnerability by crafting a malicious PDB e-book file containing embedded images with path traversal sequences in their names. When a victim opens this file with a vulnerable version of Calibre, the application extracts the images to locations outside the intended directory.

Potential attack scenarios include:

  • Overwriting configuration files to achieve code execution on application restart
  • Replacing executable files or scripts in user-accessible locations
  • Corrupting critical user documents causing data loss
  • Planting malicious files in startup directories for persistence

The security patch introduces a new image_dest() function that validates extracted image paths remain within the container directory:

python
    def image_dest(self, name, cwd):
        base = os.path.abspath(cwd)
        if not base.endswith(os.sep):
            base += os.sep
        ans = os.path.abspath(os.path.join(base, name))
        if os.path.commonprefix([ans, base]) != base:
            ans = ''
        return ans

Source: GitHub Commit

The fix in reader202.py ensures all image extractions use the validated destination path:

python
        if not os.path.exists(os.path.join(output_dir, 'images/')):
            os.makedirs(os.path.join(output_dir, 'images/'))
        images = []
        with CurrentDir(os.path.join(output_dir, 'images/')) as cwd:
            for i in range(self.header_record.non_text_offset, len(self.sections)):
                name, img = self.get_image(i)
                name = as_unicode(name or b'')
                if name and (dest := self.image_dest(name, cwd)):
                    images.append(name)
                    with open(dest, 'wb') as imgf:
                        self.log.debug(f'Writing image {name} to images/')
                        imgf.write(img)

Source: GitHub Commit

Detection Methods for CVE-2026-26065

Indicators of Compromise

  • Unexpected file modifications outside of Calibre's library directories during e-book import operations
  • PDB files containing image entries with path traversal sequences (../, ..\\, or absolute paths)
  • Newly created or modified files in system directories coinciding with Calibre usage
  • Unexpected application crashes or configuration changes after opening PDB files

Detection Strategies

  • Monitor file system activity during Calibre e-book import operations for writes outside the library directory
  • Implement file integrity monitoring on critical system files and startup directories
  • Scan incoming PDB files for path traversal patterns in embedded metadata
  • Deploy endpoint detection rules to alert on suspicious file writes correlating with Calibre process activity

Monitoring Recommendations

  • Enable detailed logging for Calibre operations, particularly e-book import and conversion activities
  • Monitor for the creation of files with unusual extensions in system directories
  • Implement behavioral analysis to detect Calibre writing files to unexpected locations
  • Review and audit recently imported PDB files from untrusted sources

How to Mitigate CVE-2026-26065

Immediate Actions Required

  • Upgrade Calibre to version 9.3.0 or later immediately
  • Avoid opening PDB e-book files from untrusted sources until the upgrade is complete
  • Review systems for signs of exploitation if untrusted PDB files have been recently processed
  • Consider restricting Calibre's file system access using application sandboxing where available

Patch Information

The vulnerability has been addressed in Calibre version 9.3.0. The fix introduces path validation in the image_dest() function for both PDB reader variants, ensuring extracted images cannot escape the intended container directory. The patch is available in the official GitHub commit.

For detailed information about the security issue, refer to the GitHub Security Advisory.

Workarounds

  • Avoid processing PDB format e-books from untrusted sources until patched
  • Run Calibre in a sandboxed environment or container with restricted file system access
  • Use a dedicated user account with minimal privileges for running Calibre
  • Convert untrusted PDB files using an isolated system before importing into your primary library
bash
# Example: Run Calibre with restricted file system access using firejail (Linux)
firejail --private=~/calibre-sandbox calibre

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.