CVE-2026-25636
Path Traversal in Calibre EPUB Conversion Allows File Corruption
Publication date: 2026-02-06
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| calibre-ebook | calibre | to 9.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25636 is a high-severity path traversal vulnerability in Calibre version 9.1.0 and earlier that affects its EPUB conversion process. The flaw occurs because Calibre improperly sanitizes the CipherReference URI found in the META-INF/encryption.xml file during EPUB conversion. This URI is resolved to an absolute filesystem path without properly restricting traversal outside the intended EPUB extraction directory.'}, {'type': 'paragraph', 'content': "As a result, a malicious EPUB file can specify a path that points to arbitrary writable files outside the EPUB directory. Calibre then opens these files in read-write mode and applies a decryption function that XORs approximately the first 1KB of the targeted file with the book's UUID, corrupting the file silently."}, {'type': 'paragraph', 'content': 'Beyond file corruption, this XOR operation can be exploited for code execution escalation by crafting UUIDs that transform the initial bytes of targeted files (such as shell initialization scripts) into executable commands, allowing arbitrary code execution with user privileges.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can lead to corruption of arbitrary writable files accessible by the Calibre process, including important files like shell profiles, application configurations, SSH client states, and local databases.'}, {'type': 'paragraph', 'content': 'Such corruption can cause data loss or denial of service by damaging critical files.'}, {'type': 'paragraph', 'content': "Moreover, the vulnerability can be weaponized to escalate privileges by injecting malicious code into files that are later executed, resulting in arbitrary code execution with the user's privileges."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability is triggered by processing a malicious EPUB file containing a crafted CipherReference URI in the META-INF/encryption.xml file during Calibre's EPUB conversion. Detection involves identifying if Calibre version 9.1.0 or earlier is used and if EPUB conversion is performed on untrusted files."}, {'type': 'paragraph', 'content': 'Since the vulnerability corrupts arbitrary writable files by XORing their first ~1KB with a UUID, detection can include monitoring for unexpected file modifications in writable directories accessible by the Calibre process, especially after running EPUB conversions.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious activity or potential exploitation include:'}, {'type': 'list_item', 'content': 'On Linux, monitor file changes with: `inotifywait -m /path/to/writable/directory`'}, {'type': 'list_item', 'content': 'Check recently modified files with: `find /path/to/writable/directory -type f -mmin -10` (files modified in last 10 minutes)'}, {'type': 'list_item', 'content': 'Verify Calibre version with: `calibre --version` or check the GUI version info'}, {'type': 'list_item', 'content': 'Inspect EPUB files for suspicious META-INF/encryption.xml entries referencing paths outside the EPUB directory (manual or scripted XML parsing)'}, {'type': 'paragraph', 'content': 'No specific built-in detection commands or tools are provided in the resources, so detection relies on version checking, monitoring file integrity, and scrutinizing EPUB files before conversion.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Calibre to version 9.2.0 or later, where this path traversal vulnerability in EPUB conversion has been fixed.
Until the upgrade is applied, avoid converting EPUB files from untrusted or unknown sources, as malicious EPUB files can exploit this vulnerability to corrupt arbitrary writable files accessible by the Calibre process.
Additionally, run Calibre with the least privileges possible to limit writable file access and reduce potential damage from exploitation.
If feasible, monitor and restrict file system permissions to prevent Calibre from writing to sensitive files or directories.