CVE-2026-33206
calibre has a path traversal vulnerability
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre' handling of images in Markdown and other similar text-based files allowing an attacker to include arbitrary files from the file system into the converted book. Additionally, missing authentication and server-side request forgery in the background-image endpoint in the ebook reader web view allow the files to be exfiltrated without additional interaction. Version 9.6.0 contains a fix.
| CWE | CWE-23 |
| Vendor | kovidgoyal |
| Product | calibre |
| Published | Mar 27, 2026 |
| Last Updated | Mar 27, 2026 |
Stay Ahead of the Next One
Get instant alerts for kovidgoyal calibre
Be the first to know when new unknown vulnerabilities affecting kovidgoyal calibre are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
kovidgoyal / calibre
< 9.6.0