Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u4?distro=trixie

Type deb

Namespace debian

Name calibre

Version 5.12.0+dfsg-1+deb11u4

Qualifiers

distro	trixie

Subpath

Is_vulnerable false

Next_non_vulnerable_version 5.33.0+dfsg-1

Latest_non_vulnerable_version 9.8.0+ds+~0.10.5-1

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-b3vv-xdp2-7ub8

vulnerability_id VCID-b3vv-xdp2-7ub8

summary calibre is an e-book manager. In versions 8.13.0 and prior, calibre does not validate filenames when handling binary assets in FB2 files, allowing an attacker to write arbitrary files on the filesystem when viewing or converting a malicious FictionBook file. This can be leveraged to achieve arbitrary code execution. This issue is fixed in version 8.14.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-64486

reference_id

reference_type

scores

value	0.00033
scoring_system	epss
scoring_elements	0.09639
published_at	2026-04-08T12:55:00Z

value	0.00033
scoring_system	epss
scoring_elements	0.09542
published_at	2026-04-16T12:55:00Z

value	0.00033
scoring_system	epss
scoring_elements	0.09652
published_at	2026-04-13T12:55:00Z

value	0.00033
scoring_system	epss
scoring_elements	0.09668
published_at	2026-04-12T12:55:00Z

value	0.00033
scoring_system	epss
scoring_elements	0.097
published_at	2026-04-11T12:55:00Z

value	0.00033
scoring_system	epss
scoring_elements	0.09687
published_at	2026-04-09T12:55:00Z

value	0.00033
scoring_system	epss
scoring_elements	0.09566
published_at	2026-04-07T12:55:00Z

value	0.00039
scoring_system	epss
scoring_elements	0.11896
published_at	2026-05-12T12:55:00Z

value	0.00039
scoring_system	epss
scoring_elements	0.11875
published_at	2026-04-26T12:55:00Z

value	0.00039
scoring_system	epss
scoring_elements	0.1179
published_at	2026-04-29T12:55:00Z

value	0.00039
scoring_system	epss
scoring_elements	0.1171
published_at	2026-05-05T12:55:00Z

value	0.00039
scoring_system	epss
scoring_elements	0.11844
published_at	2026-05-07T12:55:00Z

value	0.00039
scoring_system	epss
scoring_elements	0.11892
published_at	2026-05-09T12:55:00Z

value	0.00039
scoring_system	epss
scoring_elements	0.11867
published_at	2026-05-11T12:55:00Z

value	0.00039
scoring_system	epss
scoring_elements	0.11816
published_at	2026-04-18T12:55:00Z

value	0.00039
scoring_system	epss
scoring_elements	0.11934
published_at	2026-04-21T12:55:00Z

value	0.00039
scoring_system	epss
scoring_elements	0.11904
published_at	2026-04-24T12:55:00Z

value	0.00053
scoring_system	epss
scoring_elements	0.16906
published_at	2026-04-04T12:55:00Z

value	0.00053
scoring_system	epss
scoring_elements	0.16849
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-64486

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64486
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64486

reference_url

https://github.com/kovidgoyal/calibre/commit/6f94bce214bf7d43c829804db3741afa5e83c0c5

reference_id

6f94bce214bf7d43c829804db3741afa5e83c0c5

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-11-13T21:34:15Z/

url

https://github.com/kovidgoyal/calibre/commit/6f94bce214bf7d43c829804db3741afa5e83c0c5

reference_url

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-hpwq-c98h-xp8g

reference_id

GHSA-hpwq-c98h-xp8g

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-11-13T21:34:15Z/

url

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-hpwq-c98h-xp8g

fixed_packages

url	pkg:deb/debian/calibre@9.8.0%2Bds%2B~0.10.5-5?distro=trixie
purl	pkg:deb/debian/calibre@9.8.0%2Bds%2B~0.10.5-5?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.8.0%252Bds%252B~0.10.5-5%3Fdistro=trixie

url pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2w1b-b6qm-4qhf

vulnerability	VCID-b3vv-xdp2-7ub8

vulnerability	VCID-bjj5-ynf7-v7aa

vulnerability	VCID-dywq-dzuv-wka2

vulnerability	VCID-hgmk-8s7s-tfdb

vulnerability	VCID-jwpx-aqjh-dqej

vulnerability	VCID-mqmp-g7uy-gbg4

vulnerability	VCID-nj3z-4ya4-bqf7

vulnerability	VCID-vq4p-dvg4-eudz

vulnerability	VCID-x63d-4kux-cqcu

vulnerability	VCID-zhz3-1799-a7hk

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@5.12.0%252Bdfsg-1%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u4?distro=trixie
purl	pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u4?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@5.12.0%252Bdfsg-1%252Bdeb11u4%3Fdistro=trixie

url pkg:deb/debian/calibre@6.13.0%2Brepack-2%2Bdeb12u5?distro=trixie

purl pkg:deb/debian/calibre@6.13.0%2Brepack-2%2Bdeb12u5?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2w1b-b6qm-4qhf

vulnerability	VCID-bjj5-ynf7-v7aa

vulnerability	VCID-dywq-dzuv-wka2

vulnerability	VCID-hgmk-8s7s-tfdb

vulnerability	VCID-jwpx-aqjh-dqej

vulnerability	VCID-mqmp-g7uy-gbg4

vulnerability	VCID-nj3z-4ya4-bqf7

vulnerability	VCID-vq4p-dvg4-eudz

vulnerability	VCID-x63d-4kux-cqcu

vulnerability	VCID-zhz3-1799-a7hk

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@6.13.0%252Brepack-2%252Bdeb12u5%3Fdistro=trixie

url pkg:deb/debian/calibre@8.5.0%2Bds-1%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/calibre@8.5.0%2Bds-1%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2w1b-b6qm-4qhf

vulnerability	VCID-bjj5-ynf7-v7aa

vulnerability	VCID-dywq-dzuv-wka2

vulnerability	VCID-hgmk-8s7s-tfdb

vulnerability	VCID-jwpx-aqjh-dqej

vulnerability	VCID-mqmp-g7uy-gbg4

vulnerability	VCID-nj3z-4ya4-bqf7

vulnerability	VCID-vq4p-dvg4-eudz

vulnerability	VCID-x63d-4kux-cqcu

vulnerability	VCID-zhz3-1799-a7hk

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@8.5.0%252Bds-1%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/calibre@8.14.0%2Bds%2B~0.10.5-1?distro=trixie
purl	pkg:deb/debian/calibre@8.14.0%2Bds%2B~0.10.5-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@8.14.0%252Bds%252B~0.10.5-1%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-5?distro=trixie
purl	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-5?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.6.0%252Bds%252B~0.10.5-5%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-6?distro=trixie
purl	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-6?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.6.0%252Bds%252B~0.10.5-6%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.7.0%2Bds%2B~0.10.5-2?distro=trixie
purl	pkg:deb/debian/calibre@9.7.0%2Bds%2B~0.10.5-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.7.0%252Bds%252B~0.10.5-2%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.8.0%2Bds%2B~0.10.5-1?distro=trixie
purl	pkg:deb/debian/calibre@9.8.0%2Bds%2B~0.10.5-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.8.0%252Bds%252B~0.10.5-1%3Fdistro=trixie

aliases CVE-2025-64486

risk_score 4.2

exploitability 0.5

weighted_severity 8.4

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-b3vv-xdp2-7ub8

url VCID-bjj5-ynf7-v7aa

vulnerability_id VCID-bjj5-ynf7-v7aa

summary calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 202-byte header variants) that allow arbitrary file writes with arbitrary extension and arbitrary content anywhere the user has write permissions. Files are written in 'wb' mode, silently overwriting existing files. This can lead to potential code execution and Denial of Service through file corruption. This issue has been fixed in version 9.3.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-26065

reference_id

reference_type

scores

value	0.00038
scoring_system	epss
scoring_elements	0.11454
published_at	2026-04-02T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11382
published_at	2026-04-08T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11441
published_at	2026-04-09T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11446
published_at	2026-04-11T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11413
published_at	2026-04-12T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11384
published_at	2026-04-13T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11246
published_at	2026-04-16T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11247
published_at	2026-04-18T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11374
published_at	2026-04-21T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11314
published_at	2026-04-24T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11273
published_at	2026-04-26T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.11513
published_at	2026-04-04T12:55:00Z

value	0.00038
scoring_system	epss
scoring_elements	0.113
published_at	2026-04-07T12:55:00Z

value	0.00044
scoring_system	epss
scoring_elements	0.13301
published_at	2026-04-29T12:55:00Z

value	0.00047
scoring_system	epss
scoring_elements	0.14468
published_at	2026-05-12T12:55:00Z

value	0.00047
scoring_system	epss
scoring_elements	0.1419
published_at	2026-05-05T12:55:00Z

value	0.00047
scoring_system	epss
scoring_elements	0.1434
published_at	2026-05-07T12:55:00Z

value	0.00047
scoring_system	epss
scoring_elements	0.14433
published_at	2026-05-09T12:55:00Z

value	0.00047
scoring_system	epss
scoring_elements	0.14426
published_at	2026-05-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-26065

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26065
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26065

reference_url

https://github.com/kovidgoyal/calibre/commit/b6da1c3878c06eb1356cb0ec1106cb66e0e9bfb8

reference_id

b6da1c3878c06eb1356cb0ec1106cb66e0e9bfb8

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T16:41:04Z/

url

https://github.com/kovidgoyal/calibre/commit/b6da1c3878c06eb1356cb0ec1106cb66e0e9bfb8

reference_url

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vmfh-7mr7-pp2w

reference_id

GHSA-vmfh-7mr7-pp2w

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T16:41:04Z/

url

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vmfh-7mr7-pp2w

fixed_packages

url	pkg:deb/debian/calibre@9.8.0%2Bds%2B~0.10.5-5?distro=trixie
purl	pkg:deb/debian/calibre@9.8.0%2Bds%2B~0.10.5-5?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.8.0%252Bds%252B~0.10.5-5%3Fdistro=trixie

url pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2w1b-b6qm-4qhf

vulnerability	VCID-b3vv-xdp2-7ub8

vulnerability	VCID-bjj5-ynf7-v7aa

vulnerability	VCID-dywq-dzuv-wka2

vulnerability	VCID-hgmk-8s7s-tfdb

vulnerability	VCID-jwpx-aqjh-dqej

vulnerability	VCID-mqmp-g7uy-gbg4

vulnerability	VCID-nj3z-4ya4-bqf7

vulnerability	VCID-vq4p-dvg4-eudz

vulnerability	VCID-x63d-4kux-cqcu

vulnerability	VCID-zhz3-1799-a7hk

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@5.12.0%252Bdfsg-1%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u4?distro=trixie
purl	pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u4?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@5.12.0%252Bdfsg-1%252Bdeb11u4%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.3.0%2Bds%2B~0.10.5-1?distro=trixie
purl	pkg:deb/debian/calibre@9.3.0%2Bds%2B~0.10.5-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.3.0%252Bds%252B~0.10.5-1%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-5?distro=trixie
purl	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-5?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.6.0%252Bds%252B~0.10.5-5%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-6?distro=trixie
purl	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-6?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.6.0%252Bds%252B~0.10.5-6%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.7.0%2Bds%2B~0.10.5-2?distro=trixie
purl	pkg:deb/debian/calibre@9.7.0%2Bds%2B~0.10.5-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.7.0%252Bds%252B~0.10.5-2%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.8.0%2Bds%2B~0.10.5-1?distro=trixie
purl	pkg:deb/debian/calibre@9.8.0%2Bds%2B~0.10.5-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.8.0%252Bds%252B~0.10.5-1%3Fdistro=trixie

aliases CVE-2026-26065

risk_score 4.2

exploitability 0.5

weighted_severity 8.4

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bjj5-ynf7-v7aa

url VCID-jwpx-aqjh-dqej

vulnerability_id VCID-jwpx-aqjh-dqej

summary calibre: Calibre: Remote Code Execution via path traversal in CHM reader

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25635.json

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25635.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-25635

reference_id

reference_type

scores

value	0.00082
scoring_system	epss
scoring_elements	0.24132
published_at	2026-04-02T12:55:00Z

value	0.00082
scoring_system	epss
scoring_elements	0.24043
published_at	2026-04-12T12:55:00Z

value	0.00082
scoring_system	epss
scoring_elements	0.2417
published_at	2026-04-04T12:55:00Z

value	0.00082
scoring_system	epss
scoring_elements	0.23956
published_at	2026-04-07T12:55:00Z

value	0.00082
scoring_system	epss
scoring_elements	0.24023
published_at	2026-04-08T12:55:00Z

value	0.00082
scoring_system	epss
scoring_elements	0.24069
published_at	2026-04-09T12:55:00Z

value	0.00082
scoring_system	epss
scoring_elements	0.24087
published_at	2026-04-11T12:55:00Z

value	0.00082
scoring_system	epss
scoring_elements	0.23986
published_at	2026-04-13T12:55:00Z

value	0.00094
scoring_system	epss
scoring_elements	0.26229
published_at	2026-04-18T12:55:00Z

value	0.00094
scoring_system	epss
scoring_elements	0.26194
published_at	2026-04-21T12:55:00Z

value	0.00094
scoring_system	epss
scoring_elements	0.26119
published_at	2026-04-24T12:55:00Z

value	0.00094
scoring_system	epss
scoring_elements	0.26115
published_at	2026-04-26T12:55:00Z

value	0.00094
scoring_system	epss
scoring_elements	0.26064
published_at	2026-04-29T12:55:00Z

value	0.00094
scoring_system	epss
scoring_elements	0.26254
published_at	2026-04-16T12:55:00Z

value	0.00137
scoring_system	epss
scoring_elements	0.33053
published_at	2026-05-05T12:55:00Z

value	0.00137
scoring_system	epss
scoring_elements	0.33161
published_at	2026-05-09T12:55:00Z

value	0.00137
scoring_system	epss
scoring_elements	0.33072
published_at	2026-05-11T12:55:00Z

value	0.00137
scoring_system	epss
scoring_elements	0.33097
published_at	2026-05-12T12:55:00Z

value	0.00137
scoring_system	epss
scoring_elements	0.33121
published_at	2026-05-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-25635

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25635
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25635

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2437936
reference_id	2437936
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2437936

reference_url

https://github.com/kovidgoyal/calibre/commit/9739232fcb029ac15dfe52ccd4fdb4a07ebb6ce9

reference_id

9739232fcb029ac15dfe52ccd4fdb4a07ebb6ce9

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-09T15:20:48Z/

url

https://github.com/kovidgoyal/calibre/commit/9739232fcb029ac15dfe52ccd4fdb4a07ebb6ce9

reference_url

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-32vh-whvh-9fxr

reference_id

GHSA-32vh-whvh-9fxr

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-09T15:20:48Z/

url

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-32vh-whvh-9fxr

fixed_packages

url	pkg:deb/debian/calibre@9.8.0%2Bds%2B~0.10.5-5?distro=trixie
purl	pkg:deb/debian/calibre@9.8.0%2Bds%2B~0.10.5-5?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.8.0%252Bds%252B~0.10.5-5%3Fdistro=trixie

url pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2w1b-b6qm-4qhf

vulnerability	VCID-b3vv-xdp2-7ub8

vulnerability	VCID-bjj5-ynf7-v7aa

vulnerability	VCID-dywq-dzuv-wka2

vulnerability	VCID-hgmk-8s7s-tfdb

vulnerability	VCID-jwpx-aqjh-dqej

vulnerability	VCID-mqmp-g7uy-gbg4

vulnerability	VCID-nj3z-4ya4-bqf7

vulnerability	VCID-vq4p-dvg4-eudz

vulnerability	VCID-x63d-4kux-cqcu

vulnerability	VCID-zhz3-1799-a7hk

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@5.12.0%252Bdfsg-1%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u4?distro=trixie
purl	pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u4?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@5.12.0%252Bdfsg-1%252Bdeb11u4%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.2.0%2Bds%2B~0.10.5-1?distro=trixie
purl	pkg:deb/debian/calibre@9.2.0%2Bds%2B~0.10.5-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.2.0%252Bds%252B~0.10.5-1%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-5?distro=trixie
purl	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-5?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.6.0%252Bds%252B~0.10.5-5%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-6?distro=trixie
purl	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-6?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.6.0%252Bds%252B~0.10.5-6%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.7.0%2Bds%2B~0.10.5-2?distro=trixie
purl	pkg:deb/debian/calibre@9.7.0%2Bds%2B~0.10.5-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.7.0%252Bds%252B~0.10.5-2%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.8.0%2Bds%2B~0.10.5-1?distro=trixie
purl	pkg:deb/debian/calibre@9.8.0%2Bds%2B~0.10.5-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.8.0%252Bds%252B~0.10.5-1%3Fdistro=trixie

aliases CVE-2026-25635

risk_score 3.9

exploitability 0.5

weighted_severity 7.7

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jwpx-aqjh-dqej

url VCID-vq4p-dvg4-eudz

vulnerability_id VCID-vq4p-dvg4-eudz

summary calibre: Calibre: Arbitrary file corruption via path traversal in EPUB conversion

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25636.json

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25636.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-25636

reference_id

reference_type

scores

value	0.00022
scoring_system	epss
scoring_elements	0.06022
published_at	2026-04-12T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.05948
published_at	2026-04-02T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.05981
published_at	2026-04-04T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.05964
published_at	2026-04-07T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.06003
published_at	2026-04-08T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.06041
published_at	2026-04-09T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.06031
published_at	2026-04-11T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.06014
published_at	2026-04-13T12:55:00Z

value	0.00026
scoring_system	epss
scoring_elements	0.07143
published_at	2026-05-05T12:55:00Z

value	0.00026
scoring_system	epss
scoring_elements	0.07379
published_at	2026-05-09T12:55:00Z

value	0.00026
scoring_system	epss
scoring_elements	0.07358
published_at	2026-05-11T12:55:00Z

value	0.00026
scoring_system	epss
scoring_elements	0.07192
published_at	2026-04-21T12:55:00Z

value	0.00026
scoring_system	epss
scoring_elements	0.07162
published_at	2026-04-24T12:55:00Z

value	0.00026
scoring_system	epss
scoring_elements	0.07169
published_at	2026-04-26T12:55:00Z

value	0.00026
scoring_system	epss
scoring_elements	0.07127
published_at	2026-04-29T12:55:00Z

value	0.00026
scoring_system	epss
scoring_elements	0.07298
published_at	2026-05-07T12:55:00Z

value	0.00026
scoring_system	epss
scoring_elements	0.07372
published_at	2026-05-12T12:55:00Z

value	0.00026
scoring_system	epss
scoring_elements	0.07085
published_at	2026-04-16T12:55:00Z

value	0.00026
scoring_system	epss
scoring_elements	0.07061
published_at	2026-04-18T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-25636

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25636
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25636

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2437730
reference_id	2437730
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2437730

reference_url

https://github.com/kovidgoyal/calibre/commit/9484ea82c6ab226c18e6ca5aa000fa16de598726

reference_id

9484ea82c6ab226c18e6ca5aa000fa16de598726

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:19:25Z/

url

https://github.com/kovidgoyal/calibre/commit/9484ea82c6ab226c18e6ca5aa000fa16de598726

reference_url

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-8r26-m7j5-hm29

reference_id

GHSA-8r26-m7j5-hm29

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-09T15:19:25Z/

url

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-8r26-m7j5-hm29

fixed_packages

url	pkg:deb/debian/calibre@9.8.0%2Bds%2B~0.10.5-5?distro=trixie
purl	pkg:deb/debian/calibre@9.8.0%2Bds%2B~0.10.5-5?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.8.0%252Bds%252B~0.10.5-5%3Fdistro=trixie

url pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2w1b-b6qm-4qhf

vulnerability	VCID-b3vv-xdp2-7ub8

vulnerability	VCID-bjj5-ynf7-v7aa

vulnerability	VCID-dywq-dzuv-wka2

vulnerability	VCID-hgmk-8s7s-tfdb

vulnerability	VCID-jwpx-aqjh-dqej

vulnerability	VCID-mqmp-g7uy-gbg4

vulnerability	VCID-nj3z-4ya4-bqf7

vulnerability	VCID-vq4p-dvg4-eudz

vulnerability	VCID-x63d-4kux-cqcu

vulnerability	VCID-zhz3-1799-a7hk

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@5.12.0%252Bdfsg-1%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u4?distro=trixie
purl	pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u4?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@5.12.0%252Bdfsg-1%252Bdeb11u4%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.2.0%2Bds%2B~0.10.5-1?distro=trixie
purl	pkg:deb/debian/calibre@9.2.0%2Bds%2B~0.10.5-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.2.0%252Bds%252B~0.10.5-1%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-5?distro=trixie
purl	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-5?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.6.0%252Bds%252B~0.10.5-5%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-6?distro=trixie
purl	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-6?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.6.0%252Bds%252B~0.10.5-6%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.7.0%2Bds%2B~0.10.5-2?distro=trixie
purl	pkg:deb/debian/calibre@9.7.0%2Bds%2B~0.10.5-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.7.0%252Bds%252B~0.10.5-2%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.8.0%2Bds%2B~0.10.5-1?distro=trixie
purl	pkg:deb/debian/calibre@9.8.0%2Bds%2B~0.10.5-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.8.0%252Bds%252B~0.10.5-1%3Fdistro=trixie

aliases CVE-2026-25636

risk_score 3.7

exploitability 0.5

weighted_severity 7.4

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vq4p-dvg4-eudz

url VCID-x63d-4kux-cqcu

vulnerability_id VCID-x63d-4kux-cqcu

summary calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith('Pictures'), and does not sanitize '..' sequences. calibre's own ZipFile.extractall() in utils/zipfile.py does sanitize '..' via _get_targetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-26064

reference_id

reference_type

scores

value	0.00067
scoring_system	epss
scoring_elements	0.20787
published_at	2026-04-02T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20636
published_at	2026-04-08T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20698
published_at	2026-04-09T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20718
published_at	2026-04-11T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20675
published_at	2026-04-12T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20622
published_at	2026-04-13T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20608
published_at	2026-04-16T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20605
published_at	2026-04-18T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20596
published_at	2026-04-21T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20482
published_at	2026-04-24T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20479
published_at	2026-04-26T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.20846
published_at	2026-04-04T12:55:00Z

value	0.00067
scoring_system	epss
scoring_elements	0.2056
published_at	2026-04-07T12:55:00Z

value	0.00077
scoring_system	epss
scoring_elements	0.22867
published_at	2026-04-29T12:55:00Z

value	0.00083
scoring_system	epss
scoring_elements	0.23963
published_at	2026-05-12T12:55:00Z

value	0.00083
scoring_system	epss
scoring_elements	0.23848
published_at	2026-05-05T12:55:00Z

value	0.00083
scoring_system	epss
scoring_elements	0.2393
published_at	2026-05-07T12:55:00Z

value	0.00083
scoring_system	epss
scoring_elements	0.23999
published_at	2026-05-09T12:55:00Z

value	0.00083
scoring_system	epss
scoring_elements	0.23944
published_at	2026-05-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-26064

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26064
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26064

reference_url

https://github.com/kovidgoyal/calibre/commit/e1b5f9b45a5e8fa96c136963ad9a1d35e6adac62

reference_id

e1b5f9b45a5e8fa96c136963ad9a1d35e6adac62

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:11Z/

url

https://github.com/kovidgoyal/calibre/commit/e1b5f9b45a5e8fa96c136963ad9a1d35e6adac62

reference_url

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-72ch-3hqc-pgmp

reference_id

GHSA-72ch-3hqc-pgmp

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:11Z/

url

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-72ch-3hqc-pgmp

fixed_packages

url	pkg:deb/debian/calibre@9.8.0%2Bds%2B~0.10.5-5?distro=trixie
purl	pkg:deb/debian/calibre@9.8.0%2Bds%2B~0.10.5-5?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.8.0%252Bds%252B~0.10.5-5%3Fdistro=trixie

url pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2w1b-b6qm-4qhf

vulnerability	VCID-b3vv-xdp2-7ub8

vulnerability	VCID-bjj5-ynf7-v7aa

vulnerability	VCID-dywq-dzuv-wka2

vulnerability	VCID-hgmk-8s7s-tfdb

vulnerability	VCID-jwpx-aqjh-dqej

vulnerability	VCID-mqmp-g7uy-gbg4

vulnerability	VCID-nj3z-4ya4-bqf7

vulnerability	VCID-vq4p-dvg4-eudz

vulnerability	VCID-x63d-4kux-cqcu

vulnerability	VCID-zhz3-1799-a7hk

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@5.12.0%252Bdfsg-1%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u4?distro=trixie
purl	pkg:deb/debian/calibre@5.12.0%2Bdfsg-1%2Bdeb11u4?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@5.12.0%252Bdfsg-1%252Bdeb11u4%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.3.0%2Bds%2B~0.10.5-1?distro=trixie
purl	pkg:deb/debian/calibre@9.3.0%2Bds%2B~0.10.5-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.3.0%252Bds%252B~0.10.5-1%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-5?distro=trixie
purl	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-5?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.6.0%252Bds%252B~0.10.5-5%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-6?distro=trixie
purl	pkg:deb/debian/calibre@9.6.0%2Bds%2B~0.10.5-6?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.6.0%252Bds%252B~0.10.5-6%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.7.0%2Bds%2B~0.10.5-2?distro=trixie
purl	pkg:deb/debian/calibre@9.7.0%2Bds%2B~0.10.5-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.7.0%252Bds%252B~0.10.5-2%3Fdistro=trixie

url	pkg:deb/debian/calibre@9.8.0%2Bds%2B~0.10.5-1?distro=trixie
purl	pkg:deb/debian/calibre@9.8.0%2Bds%2B~0.10.5-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@9.8.0%252Bds%252B~0.10.5-1%3Fdistro=trixie

aliases CVE-2026-26064

risk_score 4.2

exploitability 0.5

weighted_severity 8.4

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x63d-4kux-cqcu

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/calibre@5.12.0%252Bdfsg-1%252Bdeb11u4%3Fdistro=trixie

Package Instance