Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30853 is a path traversal vulnerability in the RocketBook (.rb) input plugin of calibre versions up to 9.4.0. The vulnerability exists because the plugin reads a Table of Contents (TOC) entry name from attacker-controlled data and URL-decodes it without sanitizing the path. This unsanitized name is then used directly to create file paths for writing output files.'}, {'type': 'paragraph', 'content': 'Because there are no checks to remove or restrict relative path sequences like ".." or absolute paths, an attacker can craft a malicious .rb file that causes calibre to write arbitrary files to any location writable by the calibre process when a user opens or converts the file.'}, {'type': 'paragraph', 'content': 'This allows an attacker to place files such as malicious HTML or shell scripts anywhere on the filesystem accessible to calibre, potentially overwriting important files or placing harmful payloads.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to write arbitrary files to any path writable by the calibre process on your system. This can lead to several negative consequences:

• Overwriting or destroying important files by placing malicious files in sensitive locations.
• Placing malicious payloads such as shell scripts or HTML files that could be executed or opened by the user, potentially leading to further compromise.
• The attack requires user interaction (opening or converting a crafted .rb file) but does not require special privileges, making it feasible for local users.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your calibre installation is a version prior to 9.5.0, as the flaw exists in versions up to 9.4.0 in the RocketBook (.rb) input plugin.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can look for unexpected file writes to unusual or sensitive locations such as user home directories or desktops, especially files with extensions like .png or .html that may have been created or modified recently.'}, {'type': 'paragraph', 'content': 'Suggested commands to help detect suspicious files or activity include:'}, {'type': 'list_item', 'content': 'On Linux, use: find /home/username/Desktop /tmp -type f -mtime -1 -ls # Lists files modified in the last day on Desktop and /tmp'}, {'type': 'list_item', 'content': 'On Windows, use PowerShell: Get-ChildItem -Path $env:USERPROFILE\\Desktop -Recurse | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-1) } # Lists recently modified files on Desktop'}, {'type': 'paragraph', 'content': "Additionally, monitoring logs or file system activity for calibre's ebook-convert tool or any opening/conversion of .rb files may help identify attempts to exploit this vulnerability."}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation step is to upgrade calibre to version 9.5.0 or later, where this path traversal vulnerability in the RocketBook (.rb) input plugin has been fixed.

Until the upgrade is applied, avoid opening or converting untrusted or suspicious .rb files with calibre, as the vulnerability requires user interaction with crafted files.

Additionally, restrict write permissions for the user running calibre to limit the locations where arbitrary files can be written.

Consider monitoring and auditing file system changes in directories commonly targeted by this exploit, such as user home directories and desktops.

Useful 0 Not Useful 0