Lookup for vulnerable packages by Package URL.
| Purl | pkg:pypi/calibreweb@0.6.19 |
|---|
| Type | pypi |
|---|
| Namespace | |
|---|
| Name | calibreweb |
|---|
| Version | 0.6.19 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | null |
|---|
| Latest_non_vulnerable_version | null |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-4xd2-y3tq-ckh8 |
| vulnerability_id |
VCID-4xd2-y3tq-ckh8 |
| summary |
Calibre Web and Autocaliweb have OS Command Injection vulnerability
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Calibre Web, Autocaliweb allows Blind OS Command Injection. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://fluidattacks.com/advisories/kino |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-25T13:33:27Z/ |
|
|
| url |
https://fluidattacks.com/advisories/kino |
|
| 2 |
| reference_url |
https://github.com/gelbphoenix/autocaliweb |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-25T13:33:27Z/ |
|
|
| url |
https://github.com/gelbphoenix/autocaliweb |
|
| 3 |
| reference_url |
https://github.com/janeczku/calibre-web |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-25T13:33:27Z/ |
|
|
| url |
https://github.com/janeczku/calibre-web |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-7404, GHSA-qc4j-v7h6-xr5h
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4xd2-y3tq-ckh8 |
|
| 1 |
|
| 2 |
| url |
VCID-gb1g-yf4f-tygr |
| vulnerability_id |
VCID-gb1g-yf4f-tygr |
| summary |
Calibre-Web Has a Stored Cross-Site Scripting (XSS) Vulnerability via the 'username' Field During User Creation
A Stored Cross-Site Scripting (XSS) vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-65858, GHSA-pc5g-j9j7-p4q3
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gb1g-yf4f-tygr |
|
| 3 |
| url |
VCID-gwc3-dztv-37dw |
| vulnerability_id |
VCID-gwc3-dztv-37dw |
| summary |
Calibre Web and Autocaliweb have a ReDoS vulnerability
ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/gelbphoenix/autocaliweb |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 1 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-24T19:50:08Z/ |
|
|
| url |
https://github.com/gelbphoenix/autocaliweb |
|
| 3 |
| reference_url |
https://github.com/janeczku/calibre-web |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 1 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-24T19:50:08Z/ |
|
|
| url |
https://github.com/janeczku/calibre-web |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-6998, GHSA-2g7m-ph9x-7q7m
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gwc3-dztv-37dw |
|
| 4 |
| url |
VCID-m8wg-f36t-pygt |
| vulnerability_id |
VCID-m8wg-f36t-pygt |
| summary |
Calibre-Web Cross Site Scripting (XSS)
In janeczku Calibre-Web 0.6.0 to 0.6.21, the edit_book_comments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization performed by the clean_string function. The vulnerability arises from the way the clean_string function handles HTML sanitization. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/janeczku/calibre-web |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/janeczku/calibre-web |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-39123, GHSA-j22r-3rf3-cv25
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m8wg-f36t-pygt |
|
| 5 |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | 4.4 |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.19 |
|---|