Server-Side Template Injection in calibre E-book Manager by Kovid Goyal
CVE-2026-25731

7.8HIGH

Key Information:

Vendor

Kovidgoyal

Status
Calibre
Vendor
CVE Published:
6 February 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-25731?

The calibre e-book manager, developed by Kovid Goyal, is vulnerable to a Server-Side Template Injection (SSTI) issue in versions prior to 9.2.0. This flaw arises from its Templite templating engine, where users can execute arbitrary code by utilizing a malicious custom template file during ebook conversions. This can occur via command-line options such as --template-html or --template-html-index. The vulnerability has been addressed in the 9.2.0 update.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

calibre < 9.2.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-25731
Created by dxlerYT

References

https://github.com/kovidgoyal/calibre/security/advisories...
x_refsource_CONFIRM
https://github.com/kovidgoyal/calibre/commit/f0649b27512e...
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

JSON
.