Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:deb/debian/calibre@9.3.0%2Bds%2B~0.10.5-1?distro=trixie

Type deb

Namespace debian

Name calibre

Version 9.3.0+ds+~0.10.5-1

Qualifiers

distro	trixie

Subpath

Is_vulnerable false

Next_non_vulnerable_version 9.4.0+ds+~0.10.5-1

Latest_non_vulnerable_version 9.7.0+ds+~0.10.5-2

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-bjj5-ynf7-v7aa

vulnerability_id VCID-bjj5-ynf7-v7aa

summary calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 202-byte header variants) that allow arbitrary file writes with arbitrary extension and arbitrary content anywhere the user has write permissions. Files are written in 'wb' mode, silently overwriting existing files. This can lead to potential code execution and Denial of Service through file corruption. This issue has been fixed in version 9.3.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-26065

reference_id

reference_type

scores

value	0.00038
scoring_system	epss
scoring_elements	0.11374
published_at	2026-04-21T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11384
published_at	2026-04-13T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11246
published_at	2026-04-16T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11247
published_at	2026-04-18T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11454
published_at	2026-04-02T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11513
published_at	2026-04-04T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.113
published_at	2026-04-07T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11382
published_at	2026-04-08T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11441
published_at	2026-04-09T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11446
published_at	2026-04-11T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11413
published_at	2026-04-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-26065

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26065
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26065

reference_url

https://github.com/kovidgoyal/calibre/commit/b6da1c3878c06eb1356cb0ec1106cb66e0e9bfb8

reference_id

b6da1c3878c06eb1356cb0ec1106cb66e0e9bfb8

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T16:41:04Z/

url

https://github.com/kovidgoyal/calibre/commit/b6da1c3878c06eb1356cb0ec1106cb66e0e9bfb8

reference_url

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vmfh-7mr7-pp2w

reference_id

GHSA-vmfh-7mr7-pp2w

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T16:41:04Z/

url

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vmfh-7mr7-pp2w

fixed_packages

url	pkg:deb/debian/calibre@9.3.0%2Bds%2B~0.10.5-1?distro=trixie
purl	pkg:deb/debian/calibre@9.3.0%2Bds%2B~0.10.5-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.3.0%252Bds%252B~0.10.5-1%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-5?distro=trixie
purl	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-5?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.6.0%252Bds%252B~0.10.5-5%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-6?distro=trixie
purl	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-6?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.6.0%252Bds%252B~0.10.5-6%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.7.0%2Bds%2B~0.10.5-2?distro=trixie
purl	pkg:deb/debian/calibre@9.7.0%2Bds%2B~0.10.5-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.7.0%252Bds%252B~0.10.5-2%3Fdistro=trixie

aliases CVE-2026-26065

risk_score 4.2

exploitability 0.5

weighted_severity 8.4

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bjj5-ynf7-v7aa

url VCID-x63d-4kux-cqcu

vulnerability_id VCID-x63d-4kux-cqcu

summary calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith('Pictures'), and does not sanitize '..' sequences. calibre's own ZipFile.extractall() in utils/zipfile.py does sanitize '..' via _get_targetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-26064

reference_id

reference_type

scores

value	0.00067
scoring_system	epss
scoring_elements	0.20596
published_at	2026-04-21T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20622
published_at	2026-04-13T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20608
published_at	2026-04-16T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20605
published_at	2026-04-18T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20787
published_at	2026-04-02T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20846
published_at	2026-04-04T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.2056
published_at	2026-04-07T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20636
published_at	2026-04-08T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20698
published_at	2026-04-09T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20718
published_at	2026-04-11T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20675
published_at	2026-04-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-26064

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26064
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26064

reference_url

https://github.com/kovidgoyal/calibre/commit/e1b5f9b45a5e8fa96c136963ad9a1d35e6adac62

reference_id

e1b5f9b45a5e8fa96c136963ad9a1d35e6adac62

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:11Z/

url

https://github.com/kovidgoyal/calibre/commit/e1b5f9b45a5e8fa96c136963ad9a1d35e6adac62

reference_url

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-72ch-3hqc-pgmp

reference_id

GHSA-72ch-3hqc-pgmp

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:11Z/

url

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-72ch-3hqc-pgmp

fixed_packages

url	pkg:deb/debian/calibre@9.3.0%2Bds%2B~0.10.5-1?distro=trixie
purl	pkg:deb/debian/calibre@9.3.0%2Bds%2B~0.10.5-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.3.0%252Bds%252B~0.10.5-1%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-5?distro=trixie
purl	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-5?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.6.0%252Bds%252B~0.10.5-5%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-6?distro=trixie
purl	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-6?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.6.0%252Bds%252B~0.10.5-6%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.7.0%2Bds%2B~0.10.5-2?distro=trixie
purl	pkg:deb/debian/calibre@9.7.0%2Bds%2B~0.10.5-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.7.0%252Bds%252B~0.10.5-2%3Fdistro=trixie

aliases CVE-2026-26064

risk_score 4.2

exploitability 0.5

weighted_severity 8.4

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x63d-4kux-cqcu

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.3.0%252Bds%252B~0.10.5-1%3Fdistro=trixie

Package Instance