CVE-2026-25731
Server-Side Template Injection in Calibre Enables Code Execution
Publication date: 2026-02-06
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| calibre-ebook | calibre | to 9.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-25731 is a high-severity Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine affecting versions up to 9.1.0. The vulnerability occurs because the Templite engine compiles and executes user-supplied templates using Python's compile() and eval() functions without sandboxing or restrictions."}, {'type': 'paragraph', 'content': 'When a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options, arbitrary Python code embedded in the template can be executed. This allows attackers to run arbitrary commands on the affected system with the privileges of the user running Calibre.'}, {'type': 'paragraph', 'content': 'For example, a malicious template can execute shell commands such as writing to files or opening reverse shells during ebook conversion.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have serious impacts if you use third-party or shared HTML export templates or automated pipelines that convert ebooks using user-supplied templates.
- Attackers can execute arbitrary code on your system with your user privileges.
- Malicious templates can run shell commands, exfiltrate files, or open reverse shells.
- This can lead to compromise of confidentiality, integrity, and availability of your system and data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the Calibre software version in use is prior to 9.2.0 and if the --template-html or --template-html-index command-line options are used with custom or third-party HTML templates during ebook conversion.'}, {'type': 'paragraph', 'content': 'A practical detection method involves attempting to run a test conversion with a malicious template file containing a Server-Side Template Injection payload, such as `${emit(__import__("os").popen("id > /tmp/pwned.txt").read())}$`. If the file `/tmp/pwned.txt` is created, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Example command to test vulnerability:'}, {'type': 'list_item', 'content': 'ebook-convert input.epub output.zip --template-html=malicious_template.tmpl'}, {'type': 'paragraph', 'content': 'After running the command, check for the presence of the file `/tmp/pwned.txt` to confirm arbitrary code execution.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Calibre to version 9.2.0 or later, where the vulnerability is fixed by replacing the vulnerable Templite templating engine with the safer Mustache engine.
Additionally, avoid using untrusted or third-party custom HTML templates with the --template-html or --template-html-index options until the upgrade is applied.
Users relying on custom templates should update their templates to the new Mustache format, as the older Templite templates are no longer supported and pose a security risk.