CVE-2026-33205
SSRF Vulnerability in calibre Web View Allows Data Exfiltration
Publication date: 2026-03-27
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| calibre-ebook | calibre | to 9.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-33205 is a Server-Side Request Forgery (SSRF) vulnerability in the Calibre e-book reader's web viewer backend, specifically in the background-image endpoint. This endpoint allows the display of images from arbitrary URLs, including external or internal network addresses.
An attacker can exploit this by crafting malicious e-book content that triggers the Calibre server to perform blind GET requests to attacker-controlled or internal URLs without proper validation. This can lead to exfiltration of information from the e-book sandbox.
The vulnerability arises because the endpoint decodes a hex-encoded filename parameter that can be a URL starting with "http://" or "https://", which the backend fetches and caches locally. It requires no privileges or user interaction and has moderate severity.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with local access to the Calibre e-book viewer to perform unauthorized blind GET requests to arbitrary URLs from within the e-book sandbox.
As a result, sensitive information within the sandbox can be exfiltrated without user awareness. The exploit can also be combined with other vulnerabilities to leak contents of files included in the e-book sandbox.
While the impact on confidentiality is low and there is no impact on integrity or availability, it still poses a risk of limited data disclosure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unusual server-side requests originating from the Calibre e-book viewer's background-image endpoint. Since the vulnerability allows blind GET requests to arbitrary URLs, network logs may show unexpected outbound HTTP or HTTPS requests triggered by the application.
Specifically, you can look for requests to the background-image endpoint with hex-encoded filename parameters that decode to URLs starting with "http://" or "https://".
Commands to help detect this might include:
- Using network monitoring tools like tcpdump or Wireshark to capture outbound HTTP requests from the system running Calibre.
- Example tcpdump command to capture HTTP traffic: sudo tcpdump -i any tcp port 80 or tcp port 443 -w calibre_ssrf.pcap
- Inspecting web server or application logs for requests to the background-image endpoint with suspicious parameters.
- Using grep to search logs for hex-encoded URLs: grep -i 'background-image' /path/to/calibre/logs | grep -E '[0-9a-f]{8,}'
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Calibre to version 9.6.0 or later, where this Server-Side Request Forgery vulnerability in the background-image endpoint has been patched.
Until the upgrade can be applied, consider restricting network access from the Calibre application to prevent it from making arbitrary outbound HTTP/HTTPS requests.
Additionally, avoid opening untrusted e-books that could exploit this vulnerability.