CVE-2026-25636
Unknown Unknown - Not Provided
Path Traversal in Calibre EPUB Conversion Allows File Corruption

Publication date: 2026-02-06

Last updated on: 2026-02-17

Assigner: GitHub, Inc.

Description
calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-17
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25636
EUVD
EUVD-2026-5597
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
calibre-ebook calibre to 9.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25636 is a high-severity path traversal vulnerability in Calibre version 9.1.0 and earlier that affects its EPUB conversion process. The flaw occurs because Calibre improperly sanitizes the CipherReference URI found in the META-INF/encryption.xml file during EPUB conversion. This URI is resolved to an absolute filesystem path without properly restricting traversal outside the intended EPUB extraction directory.'}, {'type': 'paragraph', 'content': "As a result, a malicious EPUB file can specify a path that points to arbitrary writable files outside the EPUB directory. Calibre then opens these files in read-write mode and applies a decryption function that XORs approximately the first 1KB of the targeted file with the book's UUID, corrupting the file silently."}, {'type': 'paragraph', 'content': 'Beyond file corruption, this XOR operation can be exploited for code execution escalation by crafting UUIDs that transform the initial bytes of targeted files (such as shell initialization scripts) into executable commands, allowing arbitrary code execution with user privileges.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to corruption of arbitrary writable files accessible by the Calibre process, including important files like shell profiles, application configurations, SSH client states, and local databases.'}, {'type': 'paragraph', 'content': 'Such corruption can cause data loss or denial of service by damaging critical files.'}, {'type': 'paragraph', 'content': "Moreover, the vulnerability can be weaponized to escalate privileges by injecting malicious code into files that are later executed, resulting in arbitrary code execution with the user's privileges."}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability is triggered by processing a malicious EPUB file containing a crafted CipherReference URI in the META-INF/encryption.xml file during Calibre's EPUB conversion. Detection involves identifying if Calibre version 9.1.0 or earlier is used and if EPUB conversion is performed on untrusted files."}, {'type': 'paragraph', 'content': 'Since the vulnerability corrupts arbitrary writable files by XORing their first ~1KB with a UUID, detection can include monitoring for unexpected file modifications in writable directories accessible by the Calibre process, especially after running EPUB conversions.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious activity or potential exploitation include:'}, {'type': 'list_item', 'content': 'On Linux, monitor file changes with: `inotifywait -m /path/to/writable/directory`'}, {'type': 'list_item', 'content': 'Check recently modified files with: `find /path/to/writable/directory -type f -mmin -10` (files modified in last 10 minutes)'}, {'type': 'list_item', 'content': 'Verify Calibre version with: `calibre --version` or check the GUI version info'}, {'type': 'list_item', 'content': 'Inspect EPUB files for suspicious META-INF/encryption.xml entries referencing paths outside the EPUB directory (manual or scripted XML parsing)'}, {'type': 'paragraph', 'content': 'No specific built-in detection commands or tools are provided in the resources, so detection relies on version checking, monitoring file integrity, and scrutinizing EPUB files before conversion.'}] [1]

Mitigation Strategies

The primary mitigation step is to upgrade Calibre to version 9.2.0 or later, where this path traversal vulnerability in EPUB conversion has been fixed.

Until the upgrade is applied, avoid converting EPUB files from untrusted or unknown sources, as malicious EPUB files can exploit this vulnerability to corrupt arbitrary writable files accessible by the Calibre process.

Additionally, run Calibre with the least privileges possible to limit writable file access and reduce potential damage from exploitation.

If feasible, monitor and restrict file system permissions to prevent Calibre from writing to sensitive files or directories.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25636. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart