CVE-2026-27810

MEDIUM 6.4

calibre Vulnerable to HTTP Response Header Injection

CVSS Score

6.4

EPSS Score

0.0%

EPSS Percentile

0th

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Server allows any authenticated user to inject arbitrary HTTP headers into server responses via an unsanitized `content_disposition` query parameter in the `/get/` and `/data-files/get/` endpoints. All users running the calibre Content Server with authentication enabled are affected. The vulnerability is exploitable by any authenticated user and can also be triggered by tricking an authenticated victim into clicking a crafted link. Version 9.4.0 contains a fix for the issue.

CWE	CWE-113
Vendor	kovidgoyal
Product	calibre
Published	Feb 27, 2026
Last Updated	Mar 2, 2026

Stay Ahead of the Next One

Get instant alerts for kovidgoyal calibre

Be the first to know when new medium vulnerabilities affecting kovidgoyal calibre are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

kovidgoyal / calibre

< 9.4.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-5fpj-fxw7-8grw