CVE-2026-25635

HighPublic PoC

Published: 06 February 2026

Published

06 February 2026

Modified

17 February 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0014 33.1th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25635 is a high-severity Path Traversal (CWE-22) vulnerability in Calibre-Ebook Calibre. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 33.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents path traversal exploitation in Calibre's CHM reader by validating untrusted inputs used for file path construction.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific path traversal flaw fixed in Calibre version 9.2.0 through patching.

SI-3 Malicious Code Protection partial match

preventdetect

Mitigates potential RCE by detecting and blocking malicious payloads written to the Windows Startup folder.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1547.001 Registry Run Keys / Startup Folder Persistence

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.

attack.mitre.org →

Why these techniques?

The path traversal vulnerability enables exploitation for client execution (T1203) via a malicious CHM file in Calibre, facilitating arbitrary file writes that can achieve persistence by placing payloads in the Startup folder (T1547.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

calibre is an e-book manager. Prior to 9.2.0, Calibre's CHM reader contains a path traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows (haven't tested on other OS's), this can lead to Remote Code…

Execution by writing a payload to the Startup folder, which executes on next login. This vulnerability is fixed in 9.2.0.

Deeper analysisAI

CVE-2026-25635 is a path traversal vulnerability (CWE-22) in the CHM reader component of Calibre, an open-source e-book management application. Versions of Calibre prior to 9.2.0 are affected, enabling attackers to perform arbitrary file writes to any location where the affected user has write permissions.

The vulnerability can be exploited by a local attacker with no privileges required, though it demands user interaction such as opening a malicious CHM file in Calibre. Exploitation allows arbitrary file writes, which on Windows can escalate to code execution by placing a malicious payload in the Startup folder, triggering execution upon the user's next login. The CVSS v3.1 base score is 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with a changed scope.

Calibre addresses this issue in version 9.2.0. Mitigation details are provided in the GitHub security advisory (GHSA-32vh-whvh-9fxr), the fixing commit (9739232fcb029ac15dfe52ccd4fdb4a07ebb6ce9), and an independent analysis at 0x5t.raptx.org/posts/calibre-chm-rce. Users should update to 9.2.0 or later and avoid opening untrusted CHM files.