CVE-2026-25636 – A path traversal vulnerability in Calibre's EPU... (How to Fix)

Q: What is the severity of CVE-2026-25636?

CVE-2026-25636 has a CVSS score of 8.2 (HIGH). A path traversal vulnerability in Calibre's EPUB conversion allows malicious EPUB files to corrupt arbitrary files writable by the Calibre process. Attackers can exploit this by crafting EPUB files with specially crafted CipherReference URIs that point outside the extraction directory. Users of Calibre 9.1.0 and earlier who convert untrusted EPUB files are affected.

📋 TL;DR

A path traversal vulnerability in Calibre's EPUB conversion allows malicious EPUB files to corrupt arbitrary files writable by the Calibre process. Attackers can exploit this by crafting EPUB files with specially crafted CipherReference URIs that point outside the extraction directory. Users of Calibre 9.1.0 and earlier who convert untrusted EPUB files are affected.

💻 Affected Systems

Products:

Calibre

Versions: 9.1.0 and earlier

Operating Systems: Linux, Windows, macOS, All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with EPUB conversion functionality are vulnerable when processing untrusted EPUB files.

📦 What is this software?

Calibre by Calibre Ebook

View all CVEs affecting Calibre →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through corruption of critical system files, privilege escalation, or data destruction if Calibre runs with elevated privileges.

🟠

Likely Case

Data corruption of user files, potential loss of e-book libraries, or denial of service through file corruption.

🟢

If Mitigated

Limited to corruption of files within the user's home directory if Calibre runs with minimal privileges.

🌐 Internet-Facing: MEDIUM - Requires user to download and process a malicious EPUB file, but could be distributed through e-book sharing sites.

🏢 Internal Only: MEDIUM - Internal users could exploit this against shared systems or other users' files if permissions allow.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the victim to open a malicious EPUB file in Calibre. The vulnerability is straightforward to exploit once the attack vector is understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.2.0

Vendor Advisory: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-8r26-m7j5-hm29

Restart Required: Yes

Instructions:

1. Download Calibre 9.2.0 or later from https://calibre-ebook.com/download. 2. Install the new version over your existing installation. 3. Restart Calibre to ensure the fix is active.

🔧 Temporary Workarounds

Disable EPUB conversion

all

Temporarily disable EPUB conversion functionality to prevent exploitation

Not applicable - disable through Calibre GUI preferences

Run Calibre with restricted permissions

linux

Run Calibre with minimal file system access using sandboxing or containerization

firejail calibre
bwrap --dev-bind / / --bind $HOME $HOME calibre

🧯 If You Can't Patch

Avoid converting untrusted EPUB files - only process EPUBs from trusted sources
Run Calibre in a sandboxed environment with restricted file system access

🔍 How to Verify

Check if Vulnerable:

Check Calibre version: if version is 9.1.0 or earlier, the system is vulnerable.

Check Version:

calibre --version

Verify Fix Applied:

Verify Calibre version is 9.2.0 or later and test EPUB conversion with a known safe file.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns during EPUB conversion
Errors related to file corruption or permission denied for unexpected paths

Network Indicators:

Downloads of EPUB files from untrusted sources followed by conversion activity

SIEM Query:

process_name:"calibre" AND (event_type:"file_access" AND file_path NOT CONTAINS "/tmp/" AND file_path NOT CONTAINS user_home_directory)

📊 Metadata

CVE ID: CVE-2026-25636

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H

CWE: CWE-22

EPSS Score: 0.01% exploit probability (1.4th percentile)

Published: February 6, 2026

Last Updated: February 17, 2026

🔗 References

https://github.com/kovidgoyal/calibre/commit/9484ea82c6ab226c18e6ca5aa000fa16de598726 Patch
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-8r26-m7j5-hm29 Exploit,Third Party Advisory
https://0x5t.raptx.org/posts/calibre-epub-rce Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25636, you might also want to check these: