CVE-2026-26064
Path Traversal in calibre extract_pictures Enables Remote Code Execution
Publication date: 2026-02-20
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| calibre-ebook | calibre | to 9.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-26064 is a critical path traversal vulnerability in the calibre e-book manager, specifically in the function extract_pictures that processes ODT files. This function attempts to extract files starting with 'Pictures' from ODT ZIP archives but fails to sanitize path traversal sequences like '..'. As a result, an attacker can craft a malicious ODT file that writes arbitrary files anywhere the user has write permissions."}, {'type': 'paragraph', 'content': "On Windows, this vulnerability can be exploited to write a malicious payload into the user's Startup folder, which will execute automatically on the next login, leading to remote code execution. The vulnerability bypasses calibre's usual ZIP extraction sanitization because extract_pictures manually reads and writes files without validating the file paths."}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker to write arbitrary files anywhere the user has write permissions, potentially overwriting important files or placing malicious executables.'}, {'type': 'paragraph', 'content': "On Windows systems, it can lead to remote code execution by placing a malicious batch file in the Startup folder, which runs automatically when the user logs in. This can compromise the user's system, leading to unauthorized control, data loss, or further malware infection."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious file writes outside the expected extraction directory when processing ODT files with calibre versions 9.2.1 and below. Specifically, look for files being written to unexpected locations such as the Windows Startup folder.'}, {'type': 'paragraph', 'content': "One way to detect exploitation attempts is to check for the presence of unexpected batch files (e.g., rce.bat) or other files in the user's Startup folder or other sensitive directories."}, {'type': 'paragraph', 'content': "Since the attack is triggered by converting malicious ODT files via calibre's GUI 'Convert books' feature, monitoring file system changes during such conversions can help detect exploitation."}, {'type': 'list_item', 'content': 'On Windows, use PowerShell to check for suspicious files in the Startup folder: Get-ChildItem "$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"'}, {'type': 'list_item', 'content': 'Monitor recent file creation timestamps in the Startup folder: Get-ChildItem "$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-1) }'}, {'type': 'list_item', 'content': 'Check calibre version installed: calibre --version'}, {'type': 'list_item', 'content': 'Review logs or audit file system changes during ODT file conversions if possible.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade calibre to version 9.3.0 or later, where the vulnerability has been fixed by properly sanitizing file paths during extraction.'}, {'type': 'paragraph', 'content': "Until the upgrade is applied, avoid converting untrusted or suspicious ODT files using calibre's 'Convert books' feature."}, {'type': 'paragraph', 'content': 'Additionally, monitor and restrict write permissions to sensitive directories such as the Startup folder to reduce the impact of potential exploitation.'}, {'type': 'paragraph', 'content': 'Consider implementing file system monitoring to detect unauthorized file writes outside expected directories.'}] [1, 2]