CVE-2026-30853 Overview
CVE-2026-30853 is a path traversal vulnerability discovered in calibre, a cross-platform e-book manager used for viewing, converting, editing, and cataloging e-books. The vulnerability exists in the RocketBook (.rb) input plugin located in src/calibre/ebooks/rb/reader.py. When a user opens or converts a specially crafted .rb file, an attacker can exploit this flaw to write arbitrary files to any path writable by the calibre process.
This vulnerability represents the same bug class that was previously fixed in CVE-2026-26065 for the PDB readers, but the fix was never applied to the RB reader component, leaving it exposed to the same attack vector.
Critical Impact
Arbitrary file write capability allows attackers to potentially overwrite critical system files, plant malicious executables, or establish persistence mechanisms when users interact with malicious e-book files.
Affected Products
- calibre-ebook calibre versions prior to 9.5.0
Discovery Timeline
- 2026-03-13 - CVE CVE-2026-30853 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-30853
Vulnerability Analysis
This path traversal vulnerability (CWE-22) in calibre's RocketBook reader allows attackers to escape the intended directory structure and write files to arbitrary locations. The vulnerability requires local access and user interaction—specifically, the victim must open or convert a maliciously crafted .rb e-book file. Despite requiring user interaction, the scope of impact extends beyond the vulnerable component, potentially affecting the confidentiality and availability of the entire system.
The vulnerability is particularly concerning because it enables arbitrary file writes, which can lead to various attack scenarios including code execution through overwriting executable files, configuration tampering, or denial of service through destruction of critical files.
Root Cause
The root cause lies in insufficient input validation within the RocketBook reader implementation at src/calibre/ebooks/rb/reader.py. The reader fails to properly sanitize file paths contained within .rb files before writing content to the filesystem. This allows path traversal sequences (such as ../) embedded in the malicious file to escape the expected output directory and target arbitrary locations accessible by the calibre process.
This is a regression-style vulnerability where a fix applied to the PDB readers for CVE-2026-26065 was not consistently applied across all similar input plugins, demonstrating the importance of comprehensive security fixes across related codebases.
Attack Vector
The attack requires local access to deliver the malicious .rb file to the victim. An attacker must craft a RocketBook file containing manipulated path entries with directory traversal sequences. When the victim uses calibre to open or convert this file, the application writes embedded content to attacker-specified paths outside the intended output directory.
The vulnerability manifests during the file parsing and extraction process within the RocketBook reader. When the reader processes the internal file structure of an .rb file, it extracts and writes content based on path information embedded in the file format. By including path traversal sequences in these embedded paths, an attacker can direct writes to arbitrary filesystem locations accessible to the calibre process. For technical details and specific implementation information, see the GitHub Security Advisory.
Detection Methods for CVE-2026-30853
Indicators of Compromise
- Unexpected file modifications or creation in directories outside calibre's normal working directories
- Presence of .rb files from untrusted sources in user download folders or email attachments
- System log entries showing calibre process writing to unusual filesystem locations
- New or modified executable files, scripts, or configuration files coinciding with calibre usage
Detection Strategies
- Monitor file system activity from calibre processes for writes outside expected library and output directories
- Implement application allowlisting to detect unauthorized file modifications by calibre
- Deploy endpoint detection rules that alert on path traversal patterns (../) in file operations initiated by e-book management applications
- Use SentinelOne's behavioral AI to detect anomalous file write patterns from trusted applications
Monitoring Recommendations
- Enable detailed file integrity monitoring on critical system directories and application installation paths
- Configure alerts for calibre process activity writing to system directories, startup folders, or scheduled task locations
- Review and audit .rb files before opening, particularly those received from external sources
- Monitor for creation of new files in user profile directories (such as startup folders) following calibre execution
How to Mitigate CVE-2026-30853
Immediate Actions Required
- Upgrade calibre to version 9.5.0 or later immediately
- Avoid opening or converting .rb files from untrusted or unknown sources until the patch is applied
- Run calibre with least privilege—avoid running as administrator or root user
- Review recent file system activity if suspicious .rb files have been processed
Patch Information
The vulnerability is fixed in calibre version 9.5.0. Users should upgrade to this version or later to remediate the vulnerability. The patch applies proper path sanitization to the RocketBook reader, preventing directory traversal sequences from escaping the intended output directory.
For detailed patch information and security advisory details, refer to the GitHub Security Advisory GHSA-7mp7-rfrg-542x.
Workarounds
- Temporarily disable or avoid using the RocketBook import functionality until the patch can be applied
- Process only .rb files from trusted publishers and verified sources
- Run calibre in a sandboxed environment or container to limit filesystem access
- Implement application-level firewall rules to restrict calibre's filesystem write capabilities to designated library directories
# Example: Running calibre with restricted permissions using firejail (Linux)
firejail --whitelist=/home/user/calibre-library calibre
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
