Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-25731 is a high-severity Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine affecting versions up to 9.1.0. The vulnerability occurs because the Templite engine compiles and executes user-supplied templates using Python's compile() and eval() functions without sandboxing or restrictions."}, {'type': 'paragraph', 'content': 'When a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options, arbitrary Python code embedded in the template can be executed. This allows attackers to run arbitrary commands on the affected system with the privileges of the user running Calibre.'}, {'type': 'paragraph', 'content': 'For example, a malicious template can execute shell commands such as writing to files or opening reverse shells during ebook conversion.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts if you use third-party or shared HTML export templates or automated pipelines that convert ebooks using user-supplied templates.

• Attackers can execute arbitrary code on your system with your user privileges.
• Malicious templates can run shell commands, exfiltrate files, or open reverse shells.
• This can lead to compromise of confidentiality, integrity, and availability of your system and data.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the Calibre software version in use is prior to 9.2.0 and if the --template-html or --template-html-index command-line options are used with custom or third-party HTML templates during ebook conversion.'}, {'type': 'paragraph', 'content': 'A practical detection method involves attempting to run a test conversion with a malicious template file containing a Server-Side Template Injection payload, such as `${emit(__import__("os").popen("id > /tmp/pwned.txt").read())}$`. If the file `/tmp/pwned.txt` is created, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Example command to test vulnerability:'}, {'type': 'list_item', 'content': 'ebook-convert input.epub output.zip --template-html=malicious_template.tmpl'}, {'type': 'paragraph', 'content': 'After running the command, check for the presence of the file `/tmp/pwned.txt` to confirm arbitrary code execution.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Calibre to version 9.2.0 or later, where the vulnerability is fixed by replacing the vulnerable Templite templating engine with the safer Mustache engine.

Additionally, avoid using untrusted or third-party custom HTML templates with the --template-html or --template-html-index options until the upgrade is applied.

Users relying on custom templates should update their templates to the new Mustache format, as the older Templite templates are no longer supported and pose a security risk.

Useful 0 Not Useful 0