CVE-2026-25731 – A Server-Side Template Injection vulnerability ... (How to Fix)

Q: What is the severity of CVE-2026-25731?

CVE-2026-25731 has a CVSS score of 7.8 (HIGH). A Server-Side Template Injection vulnerability in Calibre's Templite engine allows arbitrary code execution when converting ebooks using malicious custom templates via command-line options. This affects users of Calibre versions prior to 9.2.0 who convert ebooks with custom templates. Attackers could execute arbitrary code on the victim's system.

📋 TL;DR

A Server-Side Template Injection vulnerability in Calibre's Templite engine allows arbitrary code execution when converting ebooks using malicious custom templates via command-line options. This affects users of Calibre versions prior to 9.2.0 who convert ebooks with custom templates. Attackers could execute arbitrary code on the victim's system.

💻 Affected Systems

Products:

Calibre

Versions: All versions prior to 9.2.0

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is present in default installations when users convert ebooks using the --template-html or --template-html-index options with malicious templates.

📦 What is this software?

Calibre by Calibre Ebook

View all CVEs affecting Calibre →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the victim's machine, allowing data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation leading to unauthorized access to sensitive files, user data, and system resources on the affected machine.

🟢

If Mitigated

Limited impact if users don't use custom templates or have restricted command-line access, though the vulnerability remains present in the software.

🌐 Internet-Facing: LOW - This vulnerability requires local access or user interaction with command-line tools, not typically exposed to internet-facing services.

🏢 Internal Only: MEDIUM - Internal users with access to Calibre command-line tools could exploit this, but requires specific user actions (using custom templates).

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (converting ebook with malicious template) and knowledge of SSTI techniques. No public exploit code identified yet.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.2.0

Vendor Advisory: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-xrh9-w7qx-3gcc

Restart Required: No

Instructions:

1. Download Calibre 9.2.0 or later from https://calibre-ebook.com/download. 2. Install the new version, overwriting the previous installation. 3. Verify the version with 'calibre --version' command.

🔧 Temporary Workarounds

Disable custom template usage

all

Prevent users from using custom templates via command-line options

Remove execute permissions from calibre binary for non-admin users
Implement policy restricting use of --template-html and --template-html-index options

Sandbox execution

linux

Run Calibre in restricted environment to limit potential damage

Use containerization (Docker) with limited privileges
Implement AppArmor/SELinux profiles for Calibre

🧯 If You Can't Patch

Restrict user access to Calibre command-line tools to trusted administrators only
Monitor for unusual process creation or network connections from Calibre processes

🔍 How to Verify

Check if Vulnerable:

Run 'calibre --version' and check if version is below 9.2.0

Check Version:

calibre --version

Verify Fix Applied:

Run 'calibre --version' and confirm version is 9.2.0 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from Calibre
Command-line arguments containing --template-html or --template-html-index with suspicious template paths

Network Indicators:

Unexpected outbound connections from Calibre processes

SIEM Query:

Process creation where parent process contains 'calibre' and command line contains '--template-html' or '--template-html-index'

📊 Metadata

CVE ID: CVE-2026-25731

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-1336

EPSS Score: 0.01% exploit probability (0.8th percentile)

Published: February 6, 2026

Last Updated: February 17, 2026

🔗 References

https://github.com/kovidgoyal/calibre/commit/f0649b27512e987b95fcab2e1e0a3bcdafc23379 Patch
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-xrh9-w7qx-3gcc Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25731, you might also want to check these: