CVE-2026-25635 – Calibre e-book manager versions before 9.2.0 co... (How to Fix)

Q: What is the severity of CVE-2026-25635?

CVE-2026-25635 has a CVSS score of 8.6 (HIGH). Calibre e-book manager versions before 9.2.0 contain a path traversal vulnerability in the CHM reader that allows attackers to write arbitrary files anywhere the user has write permissions. On Windows systems, this can lead to remote code execution by placing malicious files in the Startup folder, which execute automatically on user login. All users running vulnerable versions of Calibre are affected.

📋 TL;DR

Calibre e-book manager versions before 9.2.0 contain a path traversal vulnerability in the CHM reader that allows attackers to write arbitrary files anywhere the user has write permissions. On Windows systems, this can lead to remote code execution by placing malicious files in the Startup folder, which execute automatically on user login. All users running vulnerable versions of Calibre are affected.

💻 Affected Systems

Products:

calibre

Versions: All versions prior to 9.2.0

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Windows is specifically mentioned for RCE via Startup folder, but vulnerability exists on all platforms.

📦 What is this software?

Calibre by Calibre Ebook

View all CVEs affecting Calibre →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full user privileges, potentially leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Local file system corruption, data loss, or malware installation through crafted CHM files.

🟢

If Mitigated

Limited to file writes in user-writable directories without execution privileges.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction to open a malicious CHM file. The vulnerability is straightforward to exploit once a malicious file is crafted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.2.0

Vendor Advisory: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-32vh-whvh-9fxr

Restart Required: No

Instructions:

1. Open Calibre. 2. Go to Help → Check for updates. 3. Follow prompts to update to version 9.2.0 or later. 4. Alternatively, download and install the latest version from calibre-ebook.com.

🔧 Temporary Workarounds

Disable CHM file processing

all

Prevent Calibre from opening CHM files by removing or disabling the CHM reader plugin.

Remove the CHM input plugin from Calibre's plugin directory

Restrict file system access

all

Run Calibre with reduced privileges or in a sandboxed environment.

🧯 If You Can't Patch

Avoid opening CHM files from untrusted sources with Calibre.
Use alternative software for CHM file viewing until patched.

🔍 How to Verify

Check if Vulnerable:

Check Calibre version in Help → About. If version is below 9.2.0, the system is vulnerable.

Check Version:

calibre --version

Verify Fix Applied:

Confirm Calibre version is 9.2.0 or higher in Help → About.

📡 Detection & Monitoring

Log Indicators:

Unusual file write operations by Calibre process
CHM file processing errors

Network Indicators:

Downloads of CHM files from untrusted sources

SIEM Query:

Process:calibre AND (FileWrite:*\Startup\* OR FileWrite:*\..\*)

📊 Metadata

CVE ID: CVE-2026-25635

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-22

EPSS Score: 0.06% exploit probability (18.4th percentile)

Published: February 6, 2026

Last Updated: February 17, 2026

🔗 References

https://github.com/kovidgoyal/calibre/commit/9739232fcb029ac15dfe52ccd4fdb4a07ebb6ce9 Patch
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-32vh-whvh-9fxr Exploit,Third Party Advisory
https://0x5t.raptx.org/posts/calibre-chm-rce Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25635, you might also want to check these: