{"url":"http://public2.vulnerablecode.io/api/packages/26570?format=json","purl":"pkg:pypi/calibreweb@0.6.14","type":"pypi","namespace":"","name":"calibreweb","version":"0.6.14","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57709?format=json","vulnerability_id":"VCID-4xd2-y3tq-ckh8","summary":"Calibre Web and Autocaliweb have OS Command Injection vulnerability\nImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Calibre Web, Autocaliweb allows Blind OS Command Injection. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-7404","reference_id":"","reference_type":"","scores":[{"value":"0.02327","scoring_system":"epss","scoring_elements":"0.8514","published_at":"2026-06-05T12:55:00Z"},{"value":"0.02327","scoring_system":"epss","scoring_elements":"0.85129","published_at":"2026-06-08T12:55:00Z"},{"value":"0.02327","scoring_system":"epss","scoring_elements":"0.85139","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02327","scoring_system":"epss","scoring_elements":"0.85145","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-7404"},{"reference_url":"https://fluidattacks.com/advisories/kino","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-25T13:33:27Z/"}],"url":"https://fluidattacks.com/advisories/kino"},{"reference_url":"https://github.com/gelbphoenix/autocaliweb","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-25T13:33:27Z/"}],"url":"https://github.com/gelbphoenix/autocaliweb"},{"reference_url":"https://github.com/janeczku/calibre-web","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-25T13:33:27Z/"}],"url":"https://github.com/janeczku/calibre-web"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-7404","reference_id":"CVE-2025-7404","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-7404"},{"reference_url":"https://github.com/advisories/GHSA-qc4j-v7h6-xr5h","reference_id":"GHSA-qc4j-v7h6-xr5h","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-qc4j-v7h6-xr5h"}],"fixed_packages":[],"aliases":["CVE-2025-7404","GHSA-qc4j-v7h6-xr5h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4xd2-y3tq-ckh8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35974?format=json","vulnerability_id":"VCID-6z85-9d5x-nyaq","summary":"Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0352","reference_id":"","reference_type":"","scores":[{"value":"0.00318","scoring_system":"epss","scoring_elements":"0.5515","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00318","scoring_system":"epss","scoring_elements":"0.55207","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00318","scoring_system":"epss","scoring_elements":"0.55216","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00318","scoring_system":"epss","scoring_elements":"0.55209","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00318","scoring_system":"epss","scoring_elements":"0.55187","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0352"},{"reference_url":"https://github.com/advisories/GHSA-h56g-v4vp-q9q6","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h56g-v4vp-q9q6"},{"reference_url":"https://github.com/janeczku/calibre-web","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web"},{"reference_url":"https://github.com/janeczku/calibre-web/commit/6bf07539788004513c3692c074ebc7ba4ce005e1","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web/commit/6bf07539788004513c3692c074ebc7ba4ce005e1"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/calibreweb/PYSEC-2022-18.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/calibreweb/PYSEC-2022-18.yaml"},{"reference_url":"https://huntr.dev/bounties/a577ff17-2ded-4c41-84ae-6ac02440f717","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/a577ff17-2ded-4c41-84ae-6ac02440f717"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0352","reference_id":"CVE-2022-0352","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0352"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26572?format=json","purl":"pkg:pypi/calibreweb@0.6.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4xd2-y3tq-ckh8"},{"vulnerability":"VCID-bkzx-fvcv-t3g8"},{"vulnerability":"VCID-g6g1-rcqv-wkdj"},{"vulnerability":"VCID-gb1g-yf4f-tygr"},{"vulnerability":"VCID-gwc3-dztv-37dw"},{"vulnerability":"VCID-jcpd-2fkh-mkc1"},{"vulnerability":"VCID-kekh-f74c-m7bt"},{"vulnerability":"VCID-m8wg-f36t-pygt"},{"vulnerability":"VCID-s28v-vbvy-3bgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.16"}],"aliases":["CVE-2022-0352","GHSA-h56g-v4vp-q9q6","PYSEC-2022-18"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6z85-9d5x-nyaq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35975?format=json","vulnerability_id":"VCID-9jsz-tc58-2ud8","summary":"Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0339","reference_id":"","reference_type":"","scores":[{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.47956","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.48006","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.48024","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.4802","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00245","scoring_system":"epss","scoring_elements":"0.47976","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0339"},{"reference_url":"https://github.com/advisories/GHSA-4w8p-x6g8-fv64","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4w8p-x6g8-fv64"},{"reference_url":"https://github.com/janeczku/calibre-web","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web"},{"reference_url":"https://github.com/janeczku/calibre-web/commit/35f6f4c727c887f8f3607fe3233dbc1980d15020","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web/commit/35f6f4c727c887f8f3607fe3233dbc1980d15020"},{"reference_url":"https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web/commit/3b216bfa07ec7992eff03e55d61732af6df9bb92"},{"reference_url":"https://github.com/janeczku/calibre-web/releases/tag/0.6.16","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web/releases/tag/0.6.16"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/calibreweb/PYSEC-2022-23.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/calibreweb/PYSEC-2022-23.yaml"},{"reference_url":"https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0339","reference_id":"CVE-2022-0339","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0339"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26572?format=json","purl":"pkg:pypi/calibreweb@0.6.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4xd2-y3tq-ckh8"},{"vulnerability":"VCID-bkzx-fvcv-t3g8"},{"vulnerability":"VCID-g6g1-rcqv-wkdj"},{"vulnerability":"VCID-gb1g-yf4f-tygr"},{"vulnerability":"VCID-gwc3-dztv-37dw"},{"vulnerability":"VCID-jcpd-2fkh-mkc1"},{"vulnerability":"VCID-kekh-f74c-m7bt"},{"vulnerability":"VCID-m8wg-f36t-pygt"},{"vulnerability":"VCID-s28v-vbvy-3bgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.16"}],"aliases":["CVE-2022-0339","GHSA-4w8p-x6g8-fv64","PYSEC-2022-23"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9jsz-tc58-2ud8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35976?format=json","vulnerability_id":"VCID-am1q-9mhn-c7fr","summary":"Improper Access Control in Pypi calibreweb prior to 0.6.16.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0273","reference_id":"","reference_type":"","scores":[{"value":"0.00134","scoring_system":"epss","scoring_elements":"0.3251","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00134","scoring_system":"epss","scoring_elements":"0.3248","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00134","scoring_system":"epss","scoring_elements":"0.32512","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00134","scoring_system":"epss","scoring_elements":"0.3255","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00134","scoring_system":"epss","scoring_elements":"0.32582","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0273"},{"reference_url":"https://github.com/advisories/GHSA-vgmw-9cww-qq99","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vgmw-9cww-qq99"},{"reference_url":"https://github.com/janeczku/calibre-web","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web"},{"reference_url":"https://github.com/janeczku/calibre-web/commit/0c0313f375bed7b035c8c0482bbb09599e16bfcf","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web/commit/0c0313f375bed7b035c8c0482bbb09599e16bfcf"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/calibreweb/PYSEC-2022-22.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/calibreweb/PYSEC-2022-22.yaml"},{"reference_url":"https://huntr.dev/bounties/8f27686f-d698-4ab6-8ef0-899125792f13","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/8f27686f-d698-4ab6-8ef0-899125792f13"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0273","reference_id":"CVE-2022-0273","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0273"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26572?format=json","purl":"pkg:pypi/calibreweb@0.6.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4xd2-y3tq-ckh8"},{"vulnerability":"VCID-bkzx-fvcv-t3g8"},{"vulnerability":"VCID-g6g1-rcqv-wkdj"},{"vulnerability":"VCID-gb1g-yf4f-tygr"},{"vulnerability":"VCID-gwc3-dztv-37dw"},{"vulnerability":"VCID-jcpd-2fkh-mkc1"},{"vulnerability":"VCID-kekh-f74c-m7bt"},{"vulnerability":"VCID-m8wg-f36t-pygt"},{"vulnerability":"VCID-s28v-vbvy-3bgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.16"}],"aliases":["CVE-2022-0273","GHSA-vgmw-9cww-qq99","PYSEC-2022-22"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-am1q-9mhn-c7fr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44956?format=json","vulnerability_id":"VCID-bkzx-fvcv-t3g8","summary":"Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-2106","reference_id":"","reference_type":"","scores":[{"value":"0.00357","scoring_system":"epss","scoring_elements":"0.58297","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00357","scoring_system":"epss","scoring_elements":"0.58279","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00357","scoring_system":"epss","scoring_elements":"0.58295","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00357","scoring_system":"epss","scoring_elements":"0.58305","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-2106"},{"reference_url":"https://github.com/janeczku/calibre-web","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web"},{"reference_url":"https://github.com/janeczku/calibre-web/commit/49e4f540c9b204c7e39b3c27ceadecd83ed60e7e","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-06T15:32:47Z/"}],"url":"https://github.com/janeczku/calibre-web/commit/49e4f540c9b204c7e39b3c27ceadecd83ed60e7e"},{"reference_url":"https://huntr.dev/bounties/c3d5c647-7557-40a9-aee4-24dc14882781","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-06T15:32:47Z/"}],"url":"https://huntr.dev/bounties/c3d5c647-7557-40a9-aee4-24dc14882781"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2106","reference_id":"CVE-2023-2106","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2106"},{"reference_url":"https://github.com/advisories/GHSA-mhmp-m6g7-7c24","reference_id":"GHSA-mhmp-m6g7-7c24","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mhmp-m6g7-7c24"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64720?format=json","purl":"pkg:pypi/calibreweb@0.6.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4xd2-y3tq-ckh8"},{"vulnerability":"VCID-gb1g-yf4f-tygr"},{"vulnerability":"VCID-gwc3-dztv-37dw"},{"vulnerability":"VCID-m8wg-f36t-pygt"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.20"}],"aliases":["CVE-2023-2106","GHSA-mhmp-m6g7-7c24"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bkzx-fvcv-t3g8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56212?format=json","vulnerability_id":"VCID-c5yg-2q1m-qkf6","summary":"Improper Access Control in janeczku/calibre-web\nAn improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the `create_shelf` method in `shelf.py` not verifying if the user has the necessary permissions to create a public shelf. This issue can lead to unauthorized actions being performed by users.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3987","reference_id":"","reference_type":"","scores":[{"value":"0.00109","scoring_system":"epss","scoring_elements":"0.28706","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00109","scoring_system":"epss","scoring_elements":"0.28735","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00109","scoring_system":"epss","scoring_elements":"0.28807","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00109","scoring_system":"epss","scoring_elements":"0.28774","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00109","scoring_system":"epss","scoring_elements":"0.28739","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3987"},{"reference_url":"https://github.com/janeczku/calibre-web","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web"},{"reference_url":"https://github.com/janeczku/calibre-web/commit/bcdc97641447965af486964537f3821f47b28874","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-15T18:27:02Z/"}],"url":"https://github.com/janeczku/calibre-web/commit/bcdc97641447965af486964537f3821f47b28874"},{"reference_url":"https://huntr.com/bounties/29fcc091-87b6-43bc-ab4b-3c0bec3f71df","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-15T18:27:02Z/"}],"url":"https://huntr.com/bounties/29fcc091-87b6-43bc-ab4b-3c0bec3f71df"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3987","reference_id":"CVE-2021-3987","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3987"},{"reference_url":"https://github.com/advisories/GHSA-fj5v-w2jp-wqvj","reference_id":"GHSA-fj5v-w2jp-wqvj","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-fj5v-w2jp-wqvj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26571?format=json","purl":"pkg:pypi/calibreweb@0.6.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4xd2-y3tq-ckh8"},{"vulnerability":"VCID-6z85-9d5x-nyaq"},{"vulnerability":"VCID-9jsz-tc58-2ud8"},{"vulnerability":"VCID-am1q-9mhn-c7fr"},{"vulnerability":"VCID-bkzx-fvcv-t3g8"},{"vulnerability":"VCID-g6g1-rcqv-wkdj"},{"vulnerability":"VCID-gb1g-yf4f-tygr"},{"vulnerability":"VCID-gwc3-dztv-37dw"},{"vulnerability":"VCID-jcpd-2fkh-mkc1"},{"vulnerability":"VCID-kekh-f74c-m7bt"},{"vulnerability":"VCID-m8wg-f36t-pygt"},{"vulnerability":"VCID-s28v-vbvy-3bgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.15"}],"aliases":["CVE-2021-3987","GHSA-fj5v-w2jp-wqvj"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c5yg-2q1m-qkf6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42596?format=json","vulnerability_id":"VCID-g6g1-rcqv-wkdj","summary":"Server-Side Request Forgery in calibreweb\nServer-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0767","reference_id":"","reference_type":"","scores":[{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41532","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.4147","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41502","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.4145","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00197","scoring_system":"epss","scoring_elements":"0.41525","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0767"},{"reference_url":"https://github.com/janeczku/calibre-web","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web"},{"reference_url":"https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8"},{"reference_url":"https://huntr.dev/bounties/b26fc127-9b6a-4be7-a455-58aefbb62d9e","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/b26fc127-9b6a-4be7-a455-58aefbb62d9e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0767","reference_id":"CVE-2022-0767","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0767"},{"reference_url":"https://github.com/advisories/GHSA-h65g-jfqg-2w6m","reference_id":"GHSA-h65g-jfqg-2w6m","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h65g-jfqg-2w6m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60912?format=json","purl":"pkg:pypi/calibreweb@0.6.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4xd2-y3tq-ckh8"},{"vulnerability":"VCID-bkzx-fvcv-t3g8"},{"vulnerability":"VCID-gb1g-yf4f-tygr"},{"vulnerability":"VCID-gwc3-dztv-37dw"},{"vulnerability":"VCID-jcpd-2fkh-mkc1"},{"vulnerability":"VCID-m8wg-f36t-pygt"},{"vulnerability":"VCID-s28v-vbvy-3bgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.17"}],"aliases":["CVE-2022-0767","GHSA-h65g-jfqg-2w6m"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g6g1-rcqv-wkdj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49323?format=json","vulnerability_id":"VCID-gb1g-yf4f-tygr","summary":"Calibre-Web Has a Stored Cross-Site Scripting (XSS) Vulnerability via the 'username' Field During User Creation\nA Stored Cross-Site Scripting (XSS) vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-65858","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09226","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09149","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09207","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09208","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-65858"},{"reference_url":"https://github.com/janeczku/calibre-web","reference_id":"","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65858","reference_id":"CVE-2025-65858","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65858"},{"reference_url":"https://github.com/KhanhDuy155/calibre-web-CVE-2025-65858/blob/main/CVE-2025-65858.md","reference_id":"CVE-2025-65858.MD","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N"},{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T15:12:45Z/"}],"url":"https://github.com/KhanhDuy155/calibre-web-CVE-2025-65858/blob/main/CVE-2025-65858.md"},{"reference_url":"https://github.com/advisories/GHSA-pc5g-j9j7-p4q3","reference_id":"GHSA-pc5g-j9j7-p4q3","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pc5g-j9j7-p4q3"}],"fixed_packages":[],"aliases":["CVE-2025-65858","GHSA-pc5g-j9j7-p4q3"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gb1g-yf4f-tygr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57708?format=json","vulnerability_id":"VCID-gwc3-dztv-37dw","summary":"Calibre Web and Autocaliweb have a ReDoS vulnerability\nReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-6998","reference_id":"","reference_type":"","scores":[{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.42311","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.42247","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.42283","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00202","scoring_system":"epss","scoring_elements":"0.423","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-6998"},{"reference_url":"https://fluidattacks.com/advisories/megadeth","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-24T19:50:08Z/"}],"url":"https://fluidattacks.com/advisories/megadeth"},{"reference_url":"https://github.com/gelbphoenix/autocaliweb","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-24T19:50:08Z/"}],"url":"https://github.com/gelbphoenix/autocaliweb"},{"reference_url":"https://github.com/janeczku/calibre-web","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-24T19:50:08Z/"}],"url":"https://github.com/janeczku/calibre-web"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6998","reference_id":"CVE-2025-6998","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6998"},{"reference_url":"https://github.com/advisories/GHSA-2g7m-ph9x-7q7m","reference_id":"GHSA-2g7m-ph9x-7q7m","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2g7m-ph9x-7q7m"}],"fixed_packages":[],"aliases":["CVE-2025-6998","GHSA-2g7m-ph9x-7q7m"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gwc3-dztv-37dw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56213?format=json","vulnerability_id":"VCID-hsbf-rfcu-qyaq","summary":"Generation of Error Message Containing Sensitive Information in janeczku/calibre-web\nA vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book from a shelf they do not own. This vulnerability discloses private information and affects all versions prior to the fix.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3986","reference_id":"","reference_type":"","scores":[{"value":"0.002","scoring_system":"epss","scoring_elements":"0.41982","published_at":"2026-06-08T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.41961","published_at":"2026-06-04T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.42035","published_at":"2026-06-05T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.42046","published_at":"2026-06-06T12:55:00Z"},{"value":"0.002","scoring_system":"epss","scoring_elements":"0.42018","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3986"},{"reference_url":"https://github.com/janeczku/calibre-web","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web"},{"reference_url":"https://github.com/janeczku/calibre-web/commit/6f5390ead5df9779ac81fadefffb476e03f93548","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-15T18:30:20Z/"}],"url":"https://github.com/janeczku/calibre-web/commit/6f5390ead5df9779ac81fadefffb476e03f93548"},{"reference_url":"https://huntr.com/bounties/394af194-61a7-4e33-b373-877d4c766fca","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-15T18:30:20Z/"}],"url":"https://huntr.com/bounties/394af194-61a7-4e33-b373-877d4c766fca"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3986","reference_id":"CVE-2021-3986","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3986"},{"reference_url":"https://github.com/advisories/GHSA-m982-h4f8-g4hf","reference_id":"GHSA-m982-h4f8-g4hf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-m982-h4f8-g4hf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26571?format=json","purl":"pkg:pypi/calibreweb@0.6.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4xd2-y3tq-ckh8"},{"vulnerability":"VCID-6z85-9d5x-nyaq"},{"vulnerability":"VCID-9jsz-tc58-2ud8"},{"vulnerability":"VCID-am1q-9mhn-c7fr"},{"vulnerability":"VCID-bkzx-fvcv-t3g8"},{"vulnerability":"VCID-g6g1-rcqv-wkdj"},{"vulnerability":"VCID-gb1g-yf4f-tygr"},{"vulnerability":"VCID-gwc3-dztv-37dw"},{"vulnerability":"VCID-jcpd-2fkh-mkc1"},{"vulnerability":"VCID-kekh-f74c-m7bt"},{"vulnerability":"VCID-m8wg-f36t-pygt"},{"vulnerability":"VCID-s28v-vbvy-3bgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.15"}],"aliases":["CVE-2021-3986","GHSA-m982-h4f8-g4hf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hsbf-rfcu-qyaq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/111589?format=json","vulnerability_id":"VCID-jcpd-2fkh-mkc1","summary":"SQL injection in calibreweb\nCalibre-Web before 0.6.18 allows user table SQL Injection.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-30765","reference_id":"","reference_type":"","scores":[{"value":"0.00264","scoring_system":"epss","scoring_elements":"0.50051","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00264","scoring_system":"epss","scoring_elements":"0.50078","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00264","scoring_system":"epss","scoring_elements":"0.50106","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00264","scoring_system":"epss","scoring_elements":"0.50121","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00264","scoring_system":"epss","scoring_elements":"0.50113","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-30765"},{"reference_url":"https://github.com/janeczku/calibre-web","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web"},{"reference_url":"https://github.com/janeczku/calibre-web/blob/master/SECURITY.md","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web/blob/master/SECURITY.md"},{"reference_url":"https://github.com/janeczku/calibre-web/releases/tag/0.6.18","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web/releases/tag/0.6.18"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-30765","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-30765"},{"reference_url":"https://github.com/advisories/GHSA-8ppf-x4gr-2x7g","reference_id":"GHSA-8ppf-x4gr-2x7g","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8ppf-x4gr-2x7g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/153106?format=json","purl":"pkg:pypi/calibreweb@0.6.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4xd2-y3tq-ckh8"},{"vulnerability":"VCID-bkzx-fvcv-t3g8"},{"vulnerability":"VCID-gb1g-yf4f-tygr"},{"vulnerability":"VCID-gwc3-dztv-37dw"},{"vulnerability":"VCID-m8wg-f36t-pygt"},{"vulnerability":"VCID-s28v-vbvy-3bgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.18"}],"aliases":["CVE-2022-30765","GHSA-8ppf-x4gr-2x7g"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jcpd-2fkh-mkc1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42595?format=json","vulnerability_id":"VCID-kekh-f74c-m7bt","summary":"Server-Side Request Forgery in calibreweb\nServer-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0766","reference_id":"","reference_type":"","scores":[{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52542","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52563","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52591","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.5261","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00288","scoring_system":"epss","scoring_elements":"0.52602","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0766"},{"reference_url":"https://github.com/janeczku/calibre-web","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web"},{"reference_url":"https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web/commit/965352c8d96c9eae7a6867ff76b0db137d04b0b8"},{"reference_url":"https://huntr.dev/bounties/7f2a5bb4-e6c7-4b6a-b8eb-face9e3add7b","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/7f2a5bb4-e6c7-4b6a-b8eb-face9e3add7b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0766","reference_id":"CVE-2022-0766","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0766"},{"reference_url":"https://github.com/advisories/GHSA-2647-c639-qv2j","reference_id":"GHSA-2647-c639-qv2j","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2647-c639-qv2j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60912?format=json","purl":"pkg:pypi/calibreweb@0.6.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4xd2-y3tq-ckh8"},{"vulnerability":"VCID-bkzx-fvcv-t3g8"},{"vulnerability":"VCID-gb1g-yf4f-tygr"},{"vulnerability":"VCID-gwc3-dztv-37dw"},{"vulnerability":"VCID-jcpd-2fkh-mkc1"},{"vulnerability":"VCID-m8wg-f36t-pygt"},{"vulnerability":"VCID-s28v-vbvy-3bgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.17"}],"aliases":["CVE-2022-0766","GHSA-2647-c639-qv2j"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kekh-f74c-m7bt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42162?format=json","vulnerability_id":"VCID-kswt-bt4h-nbdf","summary":"calibre-web is vulnerable to Business Logic Errors","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-4171","reference_id":"","reference_type":"","scores":[{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63576","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63556","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63567","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63526","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63568","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-4171"},{"reference_url":"https://github.com/janeczku/calibre-web","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web"},{"reference_url":"https://github.com/janeczku/calibre-web/commit/3e0d8763c377d2146462811e3e4ccf13f0d312ce","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web/commit/3e0d8763c377d2146462811e3e4ccf13f0d312ce"},{"reference_url":"https://huntr.dev/bounties/1117f439-133c-4563-afb2-6cd80607bd5c","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/1117f439-133c-4563-afb2-6cd80607bd5c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-4171","reference_id":"CVE-2021-4171","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-4171"},{"reference_url":"https://github.com/advisories/GHSA-xp7p-3gx7-j6wx","reference_id":"GHSA-xp7p-3gx7-j6wx","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xp7p-3gx7-j6wx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26571?format=json","purl":"pkg:pypi/calibreweb@0.6.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4xd2-y3tq-ckh8"},{"vulnerability":"VCID-6z85-9d5x-nyaq"},{"vulnerability":"VCID-9jsz-tc58-2ud8"},{"vulnerability":"VCID-am1q-9mhn-c7fr"},{"vulnerability":"VCID-bkzx-fvcv-t3g8"},{"vulnerability":"VCID-g6g1-rcqv-wkdj"},{"vulnerability":"VCID-gb1g-yf4f-tygr"},{"vulnerability":"VCID-gwc3-dztv-37dw"},{"vulnerability":"VCID-jcpd-2fkh-mkc1"},{"vulnerability":"VCID-kekh-f74c-m7bt"},{"vulnerability":"VCID-m8wg-f36t-pygt"},{"vulnerability":"VCID-s28v-vbvy-3bgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.15"}],"aliases":["CVE-2021-4171","GHSA-xp7p-3gx7-j6wx"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kswt-bt4h-nbdf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55546?format=json","vulnerability_id":"VCID-m8wg-f36t-pygt","summary":"Calibre-Web Cross Site Scripting (XSS)\nIn janeczku Calibre-Web 0.6.0 to 0.6.21, the edit_book_comments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization performed by the clean_string function. The vulnerability arises from the way the clean_string function handles HTML sanitization.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39123","reference_id":"","reference_type":"","scores":[{"value":"0.16445","scoring_system":"epss","scoring_elements":"0.95016","published_at":"2026-06-08T12:55:00Z"},{"value":"0.16445","scoring_system":"epss","scoring_elements":"0.95014","published_at":"2026-06-06T12:55:00Z"},{"value":"0.16445","scoring_system":"epss","scoring_elements":"0.95013","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39123"},{"reference_url":"https://github.com/janeczku/calibre-web","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web"},{"reference_url":"https://github.com/pentesttoolscom/vulnerability-research/tree/master/CVE-2024-39123","reference_id":"CVE-2024-39123","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-23T15:47:04Z/"}],"url":"https://github.com/pentesttoolscom/vulnerability-research/tree/master/CVE-2024-39123"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39123","reference_id":"CVE-2024-39123","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39123"},{"reference_url":"https://github.com/advisories/GHSA-j22r-3rf3-cv25","reference_id":"GHSA-j22r-3rf3-cv25","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j22r-3rf3-cv25"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/752005?format=json","purl":"pkg:pypi/calibreweb@0.6.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4xd2-y3tq-ckh8"},{"vulnerability":"VCID-gb1g-yf4f-tygr"},{"vulnerability":"VCID-gwc3-dztv-37dw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.22"}],"aliases":["CVE-2024-39123","GHSA-j22r-3rf3-cv25"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m8wg-f36t-pygt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42122?format=json","vulnerability_id":"VCID-mayx-3wtu-nkbp","summary":"calibre-web is vulnerable to Cross-site Scripting\ncalibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-4170","reference_id":"","reference_type":"","scores":[{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.51897","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.51865","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.51917","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.51908","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.51849","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-4170"},{"reference_url":"https://github.com/janeczku/calibre-web","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web"},{"reference_url":"https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5"},{"reference_url":"https://huntr.dev/bounties/ff395101-e392-401d-ab4f-579c63fbf6a0","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/ff395101-e392-401d-ab4f-579c63fbf6a0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-4170","reference_id":"CVE-2021-4170","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-4170"},{"reference_url":"https://github.com/advisories/GHSA-wrp6-9w7f-3wxg","reference_id":"GHSA-wrp6-9w7f-3wxg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wrp6-9w7f-3wxg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26571?format=json","purl":"pkg:pypi/calibreweb@0.6.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4xd2-y3tq-ckh8"},{"vulnerability":"VCID-6z85-9d5x-nyaq"},{"vulnerability":"VCID-9jsz-tc58-2ud8"},{"vulnerability":"VCID-am1q-9mhn-c7fr"},{"vulnerability":"VCID-bkzx-fvcv-t3g8"},{"vulnerability":"VCID-g6g1-rcqv-wkdj"},{"vulnerability":"VCID-gb1g-yf4f-tygr"},{"vulnerability":"VCID-gwc3-dztv-37dw"},{"vulnerability":"VCID-jcpd-2fkh-mkc1"},{"vulnerability":"VCID-kekh-f74c-m7bt"},{"vulnerability":"VCID-m8wg-f36t-pygt"},{"vulnerability":"VCID-s28v-vbvy-3bgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.15"}],"aliases":["CVE-2021-4170","GHSA-wrp6-9w7f-3wxg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mayx-3wtu-nkbp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44955?format=json","vulnerability_id":"VCID-s28v-vbvy-3bgb","summary":"Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-2525","reference_id":"","reference_type":"","scores":[{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57887","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57863","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57825","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57876","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57878","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-2525"},{"reference_url":"https://github.com/janeczku/calibre-web/commit/49e4f540c9b204c7e39b3c27ceadecd83ed60e7e","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-06T16:02:14Z/"}],"url":"https://github.com/janeczku/calibre-web/commit/49e4f540c9b204c7e39b3c27ceadecd83ed60e7e"},{"reference_url":"https://huntr.dev/bounties/9ff87820-c14c-4454-9764-406496254ef0","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-06T16:02:14Z/"}],"url":"https://huntr.dev/bounties/9ff87820-c14c-4454-9764-406496254ef0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2525","reference_id":"CVE-2022-2525","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2525"},{"reference_url":"https://github.com/advisories/GHSA-jg8w-wgx2-g7q4","reference_id":"GHSA-jg8w-wgx2-g7q4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jg8w-wgx2-g7q4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64720?format=json","purl":"pkg:pypi/calibreweb@0.6.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4xd2-y3tq-ckh8"},{"vulnerability":"VCID-gb1g-yf4f-tygr"},{"vulnerability":"VCID-gwc3-dztv-37dw"},{"vulnerability":"VCID-m8wg-f36t-pygt"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.20"}],"aliases":["CVE-2022-2525","GHSA-jg8w-wgx2-g7q4"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s28v-vbvy-3bgb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42123?format=json","vulnerability_id":"VCID-xmnj-teby-fygk","summary":"calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-4164","reference_id":"","reference_type":"","scores":[{"value":"0.00134","scoring_system":"epss","scoring_elements":"0.33038","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00134","scoring_system":"epss","scoring_elements":"0.32969","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00134","scoring_system":"epss","scoring_elements":"0.33","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00134","scoring_system":"epss","scoring_elements":"0.3292","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00134","scoring_system":"epss","scoring_elements":"0.33025","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-4164"},{"reference_url":"https://github.com/janeczku/calibre-web","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web"},{"reference_url":"https://github.com/janeczku/calibre-web/commit/785726deee13b4d56f6c3503dd57c1e3eb7d6f30","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web/commit/785726deee13b4d56f6c3503dd57c1e3eb7d6f30"},{"reference_url":"https://huntr.dev/bounties/2debace1-a0f3-45c1-95fa-9d0512680758","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/2debace1-a0f3-45c1-95fa-9d0512680758"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-4164","reference_id":"CVE-2021-4164","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-4164"},{"reference_url":"https://github.com/advisories/GHSA-wxr6-29pv-ch68","reference_id":"GHSA-wxr6-29pv-ch68","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wxr6-29pv-ch68"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26571?format=json","purl":"pkg:pypi/calibreweb@0.6.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4xd2-y3tq-ckh8"},{"vulnerability":"VCID-6z85-9d5x-nyaq"},{"vulnerability":"VCID-9jsz-tc58-2ud8"},{"vulnerability":"VCID-am1q-9mhn-c7fr"},{"vulnerability":"VCID-bkzx-fvcv-t3g8"},{"vulnerability":"VCID-g6g1-rcqv-wkdj"},{"vulnerability":"VCID-gb1g-yf4f-tygr"},{"vulnerability":"VCID-gwc3-dztv-37dw"},{"vulnerability":"VCID-jcpd-2fkh-mkc1"},{"vulnerability":"VCID-kekh-f74c-m7bt"},{"vulnerability":"VCID-m8wg-f36t-pygt"},{"vulnerability":"VCID-s28v-vbvy-3bgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.15"}],"aliases":["CVE-2021-4164","GHSA-wxr6-29pv-ch68"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xmnj-teby-fygk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56205?format=json","vulnerability_id":"VCID-y3wa-7wgk-3khp","summary":"Cross-site Scripting (XSS) - DOM in janeczku/calibre-web\nA Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file `edit_books.js`. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization, allowing attackers to execute arbitrary JavaScript code. This can lead to various attacks, including stealing cookies. The issue is present in the code handling the `#btn-upload-cover` change event.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3988","reference_id":"","reference_type":"","scores":[{"value":"0.00238","scoring_system":"epss","scoring_elements":"0.47015","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00238","scoring_system":"epss","scoring_elements":"0.46994","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00238","scoring_system":"epss","scoring_elements":"0.47059","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00238","scoring_system":"epss","scoring_elements":"0.47062","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00238","scoring_system":"epss","scoring_elements":"0.47044","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3988"},{"reference_url":"https://github.com/janeczku/calibre-web","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/janeczku/calibre-web"},{"reference_url":"https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-20T22:31:41Z/"}],"url":"https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5"},{"reference_url":"https://huntr.com/bounties/fa4c8fd1-7846-4dad-9112-2c07461f0609","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-20T22:31:41Z/"}],"url":"https://huntr.com/bounties/fa4c8fd1-7846-4dad-9112-2c07461f0609"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3988","reference_id":"CVE-2021-3988","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3988"},{"reference_url":"https://github.com/advisories/GHSA-r735-9gc6-2hvq","reference_id":"GHSA-r735-9gc6-2hvq","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-r735-9gc6-2hvq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26571?format=json","purl":"pkg:pypi/calibreweb@0.6.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4xd2-y3tq-ckh8"},{"vulnerability":"VCID-6z85-9d5x-nyaq"},{"vulnerability":"VCID-9jsz-tc58-2ud8"},{"vulnerability":"VCID-am1q-9mhn-c7fr"},{"vulnerability":"VCID-bkzx-fvcv-t3g8"},{"vulnerability":"VCID-g6g1-rcqv-wkdj"},{"vulnerability":"VCID-gb1g-yf4f-tygr"},{"vulnerability":"VCID-gwc3-dztv-37dw"},{"vulnerability":"VCID-jcpd-2fkh-mkc1"},{"vulnerability":"VCID-kekh-f74c-m7bt"},{"vulnerability":"VCID-m8wg-f36t-pygt"},{"vulnerability":"VCID-s28v-vbvy-3bgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.15"}],"aliases":["CVE-2021-3988","GHSA-r735-9gc6-2hvq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y3wa-7wgk-3khp"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.14"}