CVE-2025-64486
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-08

Last updated on: 2025-11-12

Assigner: GitHub, Inc.

Description
calibre is an e-book manager. In versions 8.13.0 and prior, calibre does not validate filenames when handling binary assets in FB2 files, allowing an attacker to write arbitrary files on the filesystem when viewing or converting a malicious FictionBook file. This can be leveraged to achieve arbitrary code execution. This issue is fixed in version 8.14.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-08
Last Modified
2025-11-12
Generated
2026-06-16
AI Q&A
2025-11-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64486
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
kovidgoyal calibre 8.14.0
kovidgoyal calibre 8.13.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in calibre versions 8.13.0 and earlier, where the software does not validate filenames when processing binary assets in FB2 (FictionBook) files. An attacker can exploit this by crafting a malicious FB2 file that, when viewed or converted in calibre, allows arbitrary files to be written to the filesystem. This can lead to arbitrary code execution on the affected system. The issue is fixed in version 8.14.0.

Impact Analysis

If exploited, this vulnerability can allow an attacker to write arbitrary files to your filesystem and execute arbitrary code on your machine. This could lead to unauthorized control over your system, data compromise, or further attacks depending on the attacker's intent and the environment in which calibre is used.

Mitigation Strategies

Upgrade calibre to version 8.14.0 or later, as this version contains the fix for the vulnerability. Avoid opening or converting untrusted FB2 files until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64486. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart