VulnerableCode Package Details - pkg:deb/debian/calibre@9.3.0%2Bds%2B~0.10.5-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-bjj5-ynf7-v7aa	calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 202-byte header variants) that allow arbitrary file writes with arbitrary extension and arbitrary content anywhere the user has write permissions. Files are written in 'wb' mode, silently overwriting existing files. This can lead to potential code execution and Denial of Service through file corruption. This issue has been fixed in version 9.3.0.	CVE-2026-26065
VCID-x63d-4kux-cqcu	calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith('Pictures'), and does not sanitize '..' sequences. calibre's own ZipFile.extractall() in utils/zipfile.py does sanitize '..' via _get_targetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0.	CVE-2026-26064

Vulnerability

Summary

Aliases

VCID-bjj5-ynf7-v7aa

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 202-byte header variants) that allow arbitrary file writes with arbitrary extension and arbitrary content anywhere the user has write permissions. Files are written in 'wb' mode, silently overwriting existing files. This can lead to potential code execution and Denial of Service through file corruption. This issue has been fixed in version 9.3.0.

CVE-2026-26065

VCID-x63d-4kux-cqcu

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith('Pictures'), and does not sanitize '..' sequences. calibre's own ZipFile.extractall() in utils/zipfile.py does sanitize '..' via _get_targetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0.

CVE-2026-26064

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-30T16:20:41.782491+00:00	Debian Importer	Fixing	VCID-bjj5-ynf7-v7aa	https://security-tracker.debian.org/tracker/data/json	38.5.0
2026-04-30T16:20:41.753701+00:00	Debian Importer	Fixing	VCID-x63d-4kux-cqcu	https://security-tracker.debian.org/tracker/data/json	38.5.0
2026-04-28T12:59:31.909349+00:00	Debian Importer	Fixing	VCID-bjj5-ynf7-v7aa	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-28T12:59:31.868696+00:00	Debian Importer	Fixing	VCID-x63d-4kux-cqcu	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-12T17:46:44.521560+00:00	Debian Importer	Fixing	VCID-bjj5-ynf7-v7aa	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-12T17:46:44.453332+00:00	Debian Importer	Fixing	VCID-x63d-4kux-cqcu	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:20:11.373207+00:00	Debian Importer	Fixing	VCID-bjj5-ynf7-v7aa	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:20:11.353239+00:00	Debian Importer	Fixing	VCID-x63d-4kux-cqcu	https://security-tracker.debian.org/tracker/data/json	38.1.0