Critical Calibre Flaw (CVE-2025-64486, CVSS 9.3) Allows RCE via Malicious FB2 E-book
Ddos 
A critical vulnerability in Calibre, the popular cross-platform e-book manager, allows arbitrary code execution when an attacker supplies a malicious FictionBook (FB2) file. Tracked as CVE-2025-64486 and scored CVSS 9.3, the flaw affects Calibre releases up to and including 8.13.0 and was fixed in 8.14.0.
calibre is an e-book manager. It can view, convert, edit and catalog e-books in all of the major e-book formats. It can also talk to e-book reader devices. It can go out to the internet and fetch metadata for your books. It can download newspapers and convert them into e-books for convenient reading. It is cross platform, running on Linux, Windows and macOS.
Researchers found that Calibre does not validate filenames when handling binary assets in FB2 files, which are a standard container for images and binary attachments inside FictionBook files. As the advisory explains:
“Calibre does not validate filenames when handling binary assets in FB2 files, allowing an attacker to write arbitrary files on the filesystem when viewing or converting a malicious FictionBook file. This can be leveraged to achieve arbitrary code execution.”
In short: a crafted FB2 may carry binary assets with specially chosen filenames that cause Calibre to write files to unintended locations on disk. Those arbitrary writes can be abused to place executable payloads, overwrite DLLs, drop launcher shortcuts, or otherwise arrange for code to run — turning a seemingly benign e-book into a remote code execution vector.
With a CVSS 9.3 rating, this is a high-severity, easily weaponizable bug: a single poisoned FB2 file delivered by email, forum download, torrent, or a compromised website could let an attacker gain code execution on the victim’s machine.
Patch Calibre to 8.14.0 immediately and treat untrusted FB2 files as potentially malicious until your environment has been updated and audited.
Donate