Arbitrary Code Execution Vulnerability in Calibre eBook Manager
CVE-2026-53511

8.5HIGH

Key Information:

Vendor

Kovidgoyal

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-53511?

The Calibre eBook Manager is susceptible to an arbitrary code execution vulnerability when processing specially crafted EPUB, OPF, or PDF files. Versions prior to 9.10.0 fail to properly sanitize metadata input, enabling attackers to embed malicious Python code within custom column definitions. When a user adds or edits books, this unsanitized template can be executed through the exec() function, potentially compromising the system's security. Users are advised to upgrade to version 9.10.0 or later to mitigate this risk.

Affected Version(s)

calibre < 9.10.0

References

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.