Compliance Impact

This vulnerability allows unauthorized reading and exfiltration of arbitrary files from the file system, which poses a significant confidentiality risk.

Such unauthorized access to sensitive files could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over the confidentiality and integrity of personal and sensitive data.

Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to potential data breaches and unauthorized disclosure of protected information.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-33206 is a high-severity path traversal vulnerability in Calibre versions up to 9.5. It occurs during the conversion of text-based files like Markdown into ebooks, where Calibre processes image references. The software attempts to check if image paths start with the expected base directory but fails to properly normalize or sanitize these paths. This allows attackers to use relative path traversal sequences (such as "../../../../../../etc/passwd") to include arbitrary files from the file system into the converted ebook.

The vulnerable function, fix_resources, joins image sources with the base directory and verifies the path using a startswith check without accounting for path normalization, enabling unauthorized file inclusion. Additionally, when combined with another vulnerability in the background-image endpoint, attackers can exfiltrate these files without further user interaction.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to read arbitrary files from the file system during ebook conversion, which can lead to unauthorized disclosure of sensitive information. Since the attacker can include files like system password files or other confidential data into the ebook output, this poses a significant confidentiality risk.

Moreover, combined with the related background-image endpoint vulnerability, these files can be exfiltrated without additional user interaction, increasing the risk of data leakage. The vulnerability does not affect integrity or availability but has a high impact on confidentiality.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing if Calibre versions prior to 9.6.0 improperly include arbitrary files during the conversion of Markdown or similar text-based files into ebooks. A proof of concept involves running a specially crafted Markdown file that references files outside the intended directory using relative path traversal sequences (e.g., "../../../../../../etc/passwd").

To detect exploitation attempts or verify vulnerability, you can monitor file conversion activities in Calibre for unexpected file inclusions or check logs for attempts to convert files containing path traversal sequences.

Specific commands are not provided in the resources, but a practical approach includes:

• Create a Markdown file with image references using relative path traversal sequences.
• Run Calibre to convert this Markdown file to an ebook and inspect the output for inclusion of files outside the expected directory.
• Monitor network traffic or file system access logs for unusual file reads during conversion.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Calibre to version 9.6.0 or later, where this path traversal vulnerability has been fixed.

Until the upgrade is applied, avoid converting untrusted Markdown or similar text-based files that may contain malicious path traversal sequences.

Additionally, restrict access to the Calibre conversion functionality to trusted users only, as the attack vector is local.

Useful 0 Not Useful 0