Path Traversal Vulnerability in Calibre E-Book Manager by Kovid Goyal
CVE-2026-26065

9.3CRITICAL

Key Information:

Vendor: Kovidgoyal
Status: Calibre
Vendor: CVE Published:; 20 February 2026

What is CVE-2026-26065?

The Calibre e-book manager, a widely-used tool for managing e-books, contains a security flaw due to path traversal vulnerabilities in the PDB reader functionality. Versions 9.2.1 and earlier are affected, allowing attackers to perform arbitrary file writes with any extension and content to locations where the user has write permissions. This issue arises from the improper handling of PDB reader headers, specifically the 132-byte and 202-byte variants. Consequently, files may be overwritten in 'wb' mode without any warning, potentially leading to code execution or a Denial of Service through file corruption. Users are advised to upgrade to version 9.3.0, where this issue has been remediated.

Affected Version(s)

calibre < 9.3.0

References

https://github.com/kovidgoyal/calibre/security/advisories...

x_refsource_CONFIRM

https://github.com/kovidgoyal/calibre/commit/b6da1c3878c0...

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 20, 2026
Vulnerability Reserved
Feb 10, 2026

CVE-2026-26065 Data

JSON

Kovidgoyal

What is CVE-2026-26065?

Affected Version(s)

References

CVSS V4

Timeline