Path Traversal Vulnerability in Calibre E-Book Manager by Kovid Goyal
CVE-2026-26064

9.3CRITICAL

Key Information:

Vendor: Kovidgoyal
Status: Calibre
Vendor: CVE Published:; 20 February 2026

What is CVE-2026-26064?

The Calibre E-Book Manager, a cross-platform tool for managing e-books, has a vulnerability that enables path traversal allowing arbitrary file writes. This vulnerability affects versions 9.2.1 and earlier, where the function extract_pictures fails to properly sanitize user input, allowing attackers to manipulate file paths. On Windows systems, this can lead to remote code execution by writing malicious payloads to the Startup folder, which executes at the next user login. The issue arises due to inadequate checks on path segments, specifically ignoring '..' sequences. Although Calibre's ZipFile.extractall() method has protections, the extract_pictures function does not adequately filter input, exposing users to potential threats. The vulnerability has been addressed in version 9.3.0.

Affected Version(s)

calibre < 9.3.0

References

https://github.com/kovidgoyal/calibre/security/advisories...

x_refsource_CONFIRM

https://github.com/kovidgoyal/calibre/commit/e1b5f9b45a5e...

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 20, 2026
Vulnerability Reserved
Feb 10, 2026

CVE-2026-26064 Data

JSON

Kovidgoyal

What is CVE-2026-26064?

Affected Version(s)

References

CVSS V4

Timeline