CVE-2026-27824

MEDIUM 5.3

calibre has IP Ban Bypass via X-Forwarded-For Header Spoofing

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban key derived from both `remote_addr` and the `X-Forwarded-For` header. Since the `X-Forwarded-For` header is read directly from the HTTP request without any validation or trusted-proxy configuration, an attacker can bypass IP-based bans by simply changing or adding this header, rendering the brute-force protection completely ineffective. This is particularly dangerous for calibre servers exposed to the internet, where brute-force protection is the primary defense against credential stuffing and password guessing attacks. Version 9.4.0 contains a fix for the issue.

CWE	CWE-307 CWE-346
Vendor	kovidgoyal
Product	calibre
Published	Feb 27, 2026
Last Updated	Mar 2, 2026

Stay Ahead of the Next One

Get instant alerts for kovidgoyal calibre

Be the first to know when new medium vulnerabilities affecting kovidgoyal calibre are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

kovidgoyal / calibre

< 9.4.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vhxc-r7v8-2xrw