CVE-2026-25731
Published: 06 February 2026
Summary
CVE-2026-25731 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Calibre-Ebook Calibre. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the SSTI vulnerability by requiring timely patching of Calibre to version 9.2.0 or later as specified in the security advisory.
Requires validation of untrusted inputs like malicious custom template files to prevent server-side template injection and arbitrary code execution during e-book conversion.
Controls installation and use of user-installed software such as vulnerable versions of Calibre to limit exposure to this local arbitrary code execution vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSTI in local Calibre template processing enables RCE when user opens/processes malicious e-book file via CLI options, directly mapping to malicious file user execution and Python-based code execution.
NVD Description
calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index…
more
command-line options. This vulnerability is fixed in 9.2.0.
Deeper analysisAI
CVE-2026-25731 is a Server-Side Template Injection (SSTI) vulnerability (CWE-1336) in the Templite templating engine used by Calibre, an open-source e-book manager. The issue affects versions of Calibre prior to 9.2.0 and enables arbitrary code execution when a user processes an e-book using a malicious custom template file supplied via the --template-html or --template-html-index command-line options during conversion.
The vulnerability requires local access (AV:L) with low attack complexity (AC:L), no privileges (PR:N), and user interaction (UI:R), as scored at CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). A local attacker can exploit it by tricking a user into converting a specially crafted e-book that includes a malicious template, leading to arbitrary code execution on the victim's machine with high impacts on confidentiality, integrity, and availability.
Calibre's security advisory (GHSA-xrh9-w7qx-3gcc) and the fixing commit (f0649b27512e987b95fcab2e1e0a3bcdafc23379) confirm the vulnerability was patched in version 9.2.0, recommending users update to this release to mitigate the issue.
Details
- CWE(s)