CVE-2025-65858 – A stored cross-site scripting vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2025-65858?

CVE-2025-65858 has a CVSS score of 3.5 (LOW). A stored cross-site scripting vulnerability in Calibre-Web allows attackers to inject malicious JavaScript into username fields during user creation. The payload executes when administrators view the user list via the /ajax/listusers endpoint, potentially compromising admin sessions. This affects all Calibre-Web instances running vulnerable versions.

📋 TL;DR

A stored cross-site scripting vulnerability in Calibre-Web allows attackers to inject malicious JavaScript into username fields during user creation. The payload executes when administrators view the user list via the /ajax/listusers endpoint, potentially compromising admin sessions. This affects all Calibre-Web instances running vulnerable versions.

💻 Affected Systems

Products:

Calibre-Web

Versions: v0.6.25 and possibly earlier versions

Operating Systems: All platforms running Calibre-Web

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user creation capability; typically only administrators can create users, but configurations may vary

📦 What is this software?

Calibre Web by Janeczku

View all CVEs affecting Calibre Web →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account takeover leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

Session hijacking of administrators, credential theft, or unauthorized actions performed with admin privileges

🟢

If Mitigated

Limited to self-XSS if only low-privileged users can create accounts, or blocked by CSP headers

🌐 Internet-Facing: HIGH - Web applications exposed to the internet are directly accessible to attackers

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to create users (typically admin access) or social engineering to trick admins into creating malicious users

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.6.26 or later

Vendor Advisory: https://github.com/janeczku/calibre-web

Restart Required: Yes

Instructions:

1. Backup your Calibre-Web database and configuration. 2. Stop the Calibre-Web service. 3. Update to v0.6.26 or later via git pull or manual download. 4. Restart the Calibre-Web service. 5. Verify the fix by checking the version.

🔧 Temporary Workarounds

Input Sanitization via WAF

all

Deploy a web application firewall with XSS filtering rules to sanitize username input

Restrict User Creation

all

Temporarily disable user creation functionality until patching is complete

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to block inline JavaScript execution
Restrict access to /ajax/listusers endpoint to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Check if Calibre-Web version is v0.6.25 or earlier. Attempt to create a user with username containing <script>alert('test')</script> and see if it executes when viewing user list.

Check Version:

Check the Calibre-Web web interface footer or examine the source code version file

Verify Fix Applied:

After updating, attempt the same XSS payload in username field and verify it does not execute when viewing user list.

📡 Detection & Monitoring

Log Indicators:

Unusual username creation with script tags or JavaScript code
Multiple failed user creation attempts with special characters

Network Indicators:

HTTP POST requests to user creation endpoint with script payloads
Unusual requests to /ajax/listusers from unexpected sources

SIEM Query:

source="calibre-web" AND (message="*<script>*" OR message="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-65858

CVSS v3 Score: 3.5 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (14.1th percentile)

Published: December 2, 2025

Last Updated: December 23, 2025

🔗 References

https://github.com/KhanhDuy155/calibre-web-CVE-2025-65858/blob/main/CVE-2025-65858.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65858, you might also want to check these: