CVE-2026-26064
Received Received - Intake
Path Traversal in calibre extract_pictures Enables Remote Code Execution

Publication date: 2026-02-20

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith('Pictures'), and does not sanitize '..' sequences. calibre's own ZipFile.extractall() in utils/zipfile.py does sanitize '..' via _get_targetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-26064
EUVD
EUVD-2026-8035
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
calibre-ebook calibre to 9.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-26064 is a critical path traversal vulnerability in the calibre e-book manager, specifically in the function extract_pictures that processes ODT files. This function attempts to extract files starting with 'Pictures' from ODT ZIP archives but fails to sanitize path traversal sequences like '..'. As a result, an attacker can craft a malicious ODT file that writes arbitrary files anywhere the user has write permissions."}, {'type': 'paragraph', 'content': "On Windows, this vulnerability can be exploited to write a malicious payload into the user's Startup folder, which will execute automatically on the next login, leading to remote code execution. The vulnerability bypasses calibre's usual ZIP extraction sanitization because extract_pictures manually reads and writes files without validating the file paths."}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker to write arbitrary files anywhere the user has write permissions, potentially overwriting important files or placing malicious executables.'}, {'type': 'paragraph', 'content': "On Windows systems, it can lead to remote code execution by placing a malicious batch file in the Startup folder, which runs automatically when the user logs in. This can compromise the user's system, leading to unauthorized control, data loss, or further malware infection."}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious file writes outside the expected extraction directory when processing ODT files with calibre versions 9.2.1 and below. Specifically, look for files being written to unexpected locations such as the Windows Startup folder.'}, {'type': 'paragraph', 'content': "One way to detect exploitation attempts is to check for the presence of unexpected batch files (e.g., rce.bat) or other files in the user's Startup folder or other sensitive directories."}, {'type': 'paragraph', 'content': "Since the attack is triggered by converting malicious ODT files via calibre's GUI 'Convert books' feature, monitoring file system changes during such conversions can help detect exploitation."}, {'type': 'list_item', 'content': 'On Windows, use PowerShell to check for suspicious files in the Startup folder: Get-ChildItem "$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"'}, {'type': 'list_item', 'content': 'Monitor recent file creation timestamps in the Startup folder: Get-ChildItem "$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-1) }'}, {'type': 'list_item', 'content': 'Check calibre version installed: calibre --version'}, {'type': 'list_item', 'content': 'Review logs or audit file system changes during ODT file conversions if possible.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade calibre to version 9.3.0 or later, where the vulnerability has been fixed by properly sanitizing file paths during extraction.'}, {'type': 'paragraph', 'content': "Until the upgrade is applied, avoid converting untrusted or suspicious ODT files using calibre's 'Convert books' feature."}, {'type': 'paragraph', 'content': 'Additionally, monitor and restrict write permissions to sensitive directories such as the Startup folder to reduce the impact of potential exploitation.'}, {'type': 'paragraph', 'content': 'Consider implementing file system monitoring to detect unauthorized file writes outside expected directories.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26064. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart