Server-Side Template Injection in calibre E-book Manager by Kovid Goyal
CVE-2026-25731

7.8HIGH

Key Information:

Vendor: Kovidgoyal
Status: Calibre
Vendor: CVE Published:; 6 February 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-25731?

The calibre e-book manager, developed by Kovid Goyal, is vulnerable to a Server-Side Template Injection (SSTI) issue in versions prior to 9.2.0. This flaw arises from its Templite templating engine, where users can execute arbitrary code by utilizing a malicious custom template file during ebook conversions. This can occur via command-line options such as --template-html or --template-html-index. The vulnerability has been addressed in the 9.2.0 update.

Affected Version(s)

calibre < 9.2.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-25731
Created by dxlerYT

References

https://github.com/kovidgoyal/calibre/security/advisories...

x_refsource_CONFIRM

https://github.com/kovidgoyal/calibre/commit/f0649b27512e...

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Feb 6, 2026
👾
Exploit known to exist
Feb 6, 2026
Vulnerability published
Feb 6, 2026
Vulnerability Reserved
Feb 5, 2026

CVE-2026-25731 Data

JSON

Kovidgoyal

Badges

What is CVE-2026-25731?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V3.1

Timeline