CVE-2026-25636
Published: 06 February 2026
Summary
CVE-2026-25636 is a high-severity Path Traversal (CWE-22) vulnerability in Calibre-Ebook Calibre. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates CipherReference URIs during EPUB conversion to prevent path traversal to arbitrary filesystem paths outside the extraction directory.
Enforces access control policies to restrict Calibre process access to only authorized files within the intended directory, blocking unauthorized read-write operations.
Identifies and applies timely flaw remediation such as upgrading to Calibre 9.2.0 to eliminate the path traversal vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is triggered via user conversion of attacker-supplied malicious EPUB (T1204.002); core primitive allows arbitrary file overwrite/corruption outside the extraction directory, directly enabling stored data manipulation (T1565.001).
NVD Description
calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml…
more
to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0.
Deeper analysisAI
CVE-2026-25636 is a path traversal vulnerability in Calibre, an e-book manager, affecting versions 9.1.0 and earlier. The flaw occurs during EPUB conversion, where Calibre resolves CipherReference URIs from META-INF/encryption.xml to absolute filesystem paths and opens them in read-write mode, even if the paths point outside the conversion extraction directory. This enables a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. The issue is associated with CWEs-22, CWE-73, and CWE-94, and carries a CVSS v3.1 base score of 8.2 (AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H).
An attacker with local access can exploit this vulnerability by providing a malicious EPUB file and tricking a user into converting it with Calibre, requiring no privileges or special conditions beyond user interaction. Upon conversion, the attacker can achieve high-impact integrity and availability disruption by corrupting files accessible to the Calibre process, with the attack scope changing to the file system. Confidentiality is not affected.
The vulnerability is addressed in Calibre 9.2.0. Mitigation details are outlined in the GitHub security advisory at https://github.com/kovidgoyal/calibre/security/advisories/GHSA-8r26-m7j5-hm29, with the fixing commit available at https://github.com/kovidgoyal/calibre/commit/9484ea82c6ab226c18e6ca5aa000fa16de598726. Further technical analysis appears at https://0x5t.raptx.org/posts/calibre-epub-rce.
Details
- CWE(s)