Cyber Resilience

CVE-2026-25635

HighPublic PoC

Published: 06 February 2026

Published
06 February 2026
Modified
17 February 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0044 34.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25635 is a high-severity Path Traversal (CWE-22) vulnerability in Calibre-Ebook Calibre. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25635 is a path traversal vulnerability (CWE-22) in the CHM reader component of Calibre, an open-source e-book management application. Versions of Calibre prior to 9.2.0 are affected, enabling attackers to perform arbitrary file writes to any location where the affected user has write permissions.

The vulnerability can be exploited by a local attacker with no privileges required, though it demands user interaction such as opening a malicious CHM file in Calibre. Exploitation allows arbitrary file writes, which on Windows can escalate to code execution by placing a malicious payload in the Startup folder, triggering execution upon the user's next login. The CVSS v3.1 base score is 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with a changed scope.

Calibre addresses this issue in version 9.2.0. Mitigation details are provided in the GitHub security advisory (GHSA-32vh-whvh-9fxr), the fixing commit (9739232fcb029ac15dfe52ccd4fdb4a07ebb6ce9), and an independent analysis at 0x5t.raptx.org/posts/calibre-chm-rce. Users should update to 9.2.0 or later and avoid opening untrusted CHM files.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

calibre is an e-book manager. Prior to 9.2.0, Calibre's CHM reader contains a path traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows (haven't tested on other OS's), this can lead to Remote Code…

more

Execution by writing a payload to the Startup folder, which executes on next login. This vulnerability is fixed in 9.2.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1547.001 Registry Run Keys / Startup Folder Persistence
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.
Why these techniques?

The path traversal vulnerability enables exploitation for client execution (T1203) via a malicious CHM file in Calibre, facilitating arbitrary file writes that can achieve persistence by placing payloads in the Startup folder (T1547.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30853Same product: Calibre-Ebook Calibre
CVE-2026-26064Same product: Calibre-Ebook Calibre
CVE-2026-26065Same product: Calibre-Ebook Calibre
CVE-2026-25636Same product: Calibre-Ebook Calibre
CVE-2026-25731Same product: Calibre-Ebook Calibre
CVE-2016-20048Shared CWE-22
CVE-2026-22871Shared CWE-22
CVE-2025-67030Shared CWE-22
CVE-2026-4092Shared CWE-22
CVE-2026-30283Shared CWE-22

Affected Assets

calibre-ebook
calibre
≤ 9.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal exploitation in Calibre's CHM reader by validating untrusted inputs used for file path construction.

prevent

Requires timely remediation of the specific path traversal flaw fixed in Calibre version 9.2.0 through patching.

preventdetect

Mitigates potential RCE by detecting and blocking malicious payloads written to the Windows Startup folder.

References