Do Son 
Calibre, the highly popular, cross-platform e-book manager utilized by readers worldwide to view, convert, edit, and catalog their digital libraries, is facing a severe security alert. Two critical vulnerabilities have been disclosed that could allow attackers to silently write malicious files to a user’s system, ultimately leading to remote code execution (RCE) and system compromise.
Both flaws carry a critical CVSS score of 9.3 and exploit how the application handles file paths embedded within specific e-book formats.
The first vulnerability, CVE-2026-26065, is a path traversal flaw residing in Calibre’s eReader PDB readers. It specifically affects both the 132-byte and 202-byte header variants, impacting the src/calibre/ebooks/pdb/ereader/reader132.py and src/calibre/ebooks/pdb/ereader/reader202.py components.
The vulnerability allows attackers to perform arbitrary file writes anywhere the user has write permissions, with no restrictions on the file extension or content. The attack flow is devastatingly straightforward:
- An attacker crafts a malicious PDB file containing image records with traversal paths (e.g., ../../../../../../pdb_rce.bat) inserted into the 32-byte name field, while placing batch script content in the data field.
- The application’s get_image() function reads this 32-byte name directly from the binary data without performing any sanitization or extension checks.
- As the extract_content() function attempts to process files into an images/ subdirectory, the unsanitized ../ traversal sequence is resolved.
- The application uses open(name, ‘wb’), which silently writes the attacker-controlled content to the traversed path, overwriting any existing file in the process.
This silent overwriting can lead to potential code execution and a denial of service through severe file corruption.
The second critical vulnerability, CVE-2026-26064, impacts Calibre’s ODT (OpenDocument Text) reader, specifically within the src/calibre/ebooks/odt/input.py component.
Like the PDB flaw, this is a path traversal vulnerability that allows arbitrary file writes. However, the ODT exploit demonstrates a direct path to full system compromise on Windows machines.
Because ODT files are essentially ZIP archives, an attacker can embed a malicious entry with a heavily traversed path, such as:
Pictures/../../../../../Roaming/Microsoft/Windows/STARTM~1/Programs/Startup/rce.bat.
When Calibre processes this document, the zf.namelist() function returns the malicious name with the .. sequences intact. Because the path successfully starts with the expected ‘Pictures’ string, it bypasses basic checks. The application then opens the file in write-binary mode (wb), successfully resolving the traversal and dropping the payload directly into the Windows Startup folder.
The payload will then execute automatically the next time the user logs into their computer, resulting in a complete Remote Code Execution.
These vulnerabilities pose a significant threat to users who frequently download e-books from untrusted sources. The flaws affect all Calibre versions prior to 9.2.1.
Users are strongly advised to update their software immediately to the fully patched release, version 9.3.0, to protect their systems from these critical file-write exploits.
Related Posts:
- Calibre eBook Software Exposed: Critical Security Vulnerabilities Discovered
- Critical Calibre Flaw (CVE-2025-64486, CVSS 9.3) Allows RCE via Malicious FB2 E-book
- Apple Sued for Training AI on Pirated Books
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
