CVE-2026-26065 – CVE-2026-26065 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2026-26065?

CVE-2026-26065 has a CVSS score of 8.8 (HIGH). CVE-2026-26065 is a path traversal vulnerability in calibre's PDB readers that allows attackers to write arbitrary files anywhere the user has write permissions. This can lead to code execution, denial of service through file corruption, or system compromise. Users of calibre versions 9.2.1 and below are affected.

📋 TL;DR

CVE-2026-26065 is a path traversal vulnerability in calibre's PDB readers that allows attackers to write arbitrary files anywhere the user has write permissions. This can lead to code execution, denial of service through file corruption, or system compromise. Users of calibre versions 9.2.1 and below are affected.

💻 Affected Systems

Products:

calibre

Versions: 9.2.1 and below

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with PDB file processing enabled are vulnerable by default.

📦 What is this software?

Calibre by Calibre Ebook

View all CVEs affecting Calibre →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Local privilege escalation, file corruption causing denial of service, or malicious file writes in user directories.

🟢

If Mitigated

Limited to user-writable directories without privilege escalation, causing data loss or application disruption.

🌐 Internet-Facing: LOW - calibre is primarily a desktop application not typically exposed to internet.

🏢 Internal Only: MEDIUM - could be exploited via malicious e-books in shared environments or libraries.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user to open a malicious PDB file. No authentication bypass needed beyond file access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.3.0

Vendor Advisory: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vmfh-7mr7-pp2w

Restart Required: Yes

Instructions:

1. Download calibre 9.3.0 or later from calibre-ebook.com. 2. Run the installer. 3. Restart calibre and any related services.

🔧 Temporary Workarounds

Disable PDB file processing

all

Prevent calibre from processing PDB files by removing or disabling the PDB reader plugin.

# On Linux/macOS: mv ~/.config/calibre/plugins/pdb_reader.py ~/.config/calibre/plugins/pdb_reader.py.disabled
# On Windows: Move %APPDATA%\calibre\plugins\pdb_reader.py to a backup location

🧯 If You Can't Patch

Restrict user write permissions to sensitive directories using file system ACLs.
Implement application whitelisting to prevent execution of unauthorized binaries from user-writable locations.

🔍 How to Verify

Check if Vulnerable:

Check calibre version via Help → About in GUI or 'calibre --version' in terminal. If version is 9.2.1 or below, system is vulnerable.

Check Version:

calibre --version

Verify Fix Applied:

Verify version is 9.3.0 or higher. Test with a safe PDB file to ensure application functions normally.

📡 Detection & Monitoring

Log Indicators:

Unusual file write operations in user directories
Multiple PDB file processing errors

Network Indicators:

None - this is a local file processing vulnerability

SIEM Query:

Process:calibre AND (FileWrite:*\..* OR FileWrite:*\..*\..*)

📊 Metadata

CVE ID: CVE-2026-26065

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: February 20, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/kovidgoyal/calibre/commit/b6da1c3878c06eb1356cb0ec1106cb66e0e9bfb8 Patch
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vmfh-7mr7-pp2w Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26065, you might also want to check these: