CVE-2026-26064

216.73.216.233

· Published 20/02/2026 02:16 · Modified 20/02/2026 16:53

Labels: CVE-2026-26064 2026-02-20 CVE-2026-26064 CWE-22 [email protected]

Essential information

Published: 20/02/2026 02:16
Modified: 20/02/2026 16:53
Author: —
Creator: —
CVSS: 9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith('Pictures'), and does not sanitize '..' sequences. calibre's own ZipFile.extractall() in utils/zipfile.py does sanitize '..' via _get_targetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0.

NVD status

Status: Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
calibre-ebook / calibre	`cpe:2.3:a:calibre-ebook:calibre::::::::`