๐Ÿ” CVE Alert

CVE-2026-53511

UNKNOWN 0.0

calibre: Arbitrary Code Execution in Template Formatter via Book Metadata

CVSS Score
0.0
EPSS Score
0.2%
EPSS Percentile
10th

calibre is an e-book manager. Prior to 9.10.0, a malicious EPUB, OPF, or PDF file can execute arbitrary Python code when its metadata is read by calibre, including through Add books or Edit books, by embedding a custom column definition with a python: template in calibre:user_metadata that is passed unsanitized to exec() in the template formatter. This issue is fixed in version 9.10.0.

CWE CWE-94
Vendor kovidgoyal
Product calibre
Published Jul 7, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for kovidgoyal calibre

Be the first to know when new unknown vulnerabilities affecting kovidgoyal calibre are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

kovidgoyal / calibre
< 9.10.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-2j4m-2q7x-2c47 github.com: https://github.com/kovidgoyal/calibre/commit/712f4e1ff5c1e798c335bef3bacc4efdee052e9c github.com: https://github.com/kovidgoyal/calibre/releases/tag/v9.10.0