Login Sign Up

CVE-2023-46303

7.5 HIGH
SSRF

📋 TL;DR

This vulnerability in calibre's HTML conversion plugin allows Server-Side Request Forgery (SSRF) by default, enabling attackers to access resources outside the document root. It affects calibre users who convert HTML files to other formats. The vulnerability can lead to unauthorized file access and potential data exfiltration.

💻 Affected Systems

Products:
  • calibre
Versions: All versions before 6.19.0
Operating Systems: All platforms running calibre (Linux, Windows, macOS)
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerable by default when converting HTML files containing malicious links. Requires user interaction to process malicious HTML content.

📦 What is this software?

Calibre by Calibre Ebook

View all CVEs affecting Calibre →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive local files, internal network resources, or cloud metadata services, potentially leading to data theft, privilege escalation, or further network compromise.

🟠

Likely Case

Unauthorized access to local files on the calibre server, potentially exposing configuration files, credentials, or user data stored in accessible directories.

🟢

If Mitigated

Limited impact with proper network segmentation, file system permissions, and restricted calibre usage to trusted content only.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires tricking a user into converting malicious HTML content. Public proof-of-concept demonstrates SSRF via img tags.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.19.0 and later

Vendor Advisory: https://github.com/kovidgoyal/calibre/compare/v6.18.1...v6.19.0

Restart Required: No

Instructions:

1. Update calibre to version 6.19.0 or later using your package manager or calibre's built-in updater. 2. For Linux: Use apt-get upgrade calibre or equivalent. 3. For Windows/macOS: Download latest version from calibre-ebook.com.

🔧 Temporary Workarounds

Disable HTML conversion

all

Temporarily disable HTML file conversion in calibre until patched

Restrict file system access

linux

Run calibre with minimal file system permissions using sandboxing or containerization

firejail calibre
docker run --read-only -v /safe/path:/data calibre

🧯 If You Can't Patch

  • Only convert HTML files from trusted sources
  • Run calibre in isolated environment with restricted network and file access

🔍 How to Verify

Check if Vulnerable:

Check calibre version: calibre --version. If version is below 6.19.0, system is vulnerable.

Check Version:

calibre --version

Verify Fix Applied:

After updating, verify version is 6.19.0 or higher: calibre --version

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns from calibre process
  • Conversion attempts with external URLs in HTML content

Network Indicators:

  • calibre process making unexpected network requests to internal resources

SIEM Query:

process_name:"calibre" AND (event_type:"file_access" OR dest_ip:private_ip_range)

📊 Metadata

CVE ID: CVE-2023-46303
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-918
Published: October 22, 2023
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46303, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)