CVE-2026-26064
Published: 20 February 2026
Summary
CVE-2026-26064 is a high-severity Path Traversal (CWE-22) vulnerability in Calibre-Ebook Calibre. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of ZIP file paths in the extract_pictures function to block path traversal sequences like '..', preventing arbitrary file writes.
Mandates timely flaw remediation, including patching calibre to version 9.3.0 or later where proper path sanitization was implemented.
Enforces restrictions on file path inputs to limit extraction and writes to authorized directories like 'Pictures', mitigating traversal exploits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables arbitrary file write from malicious e-book/ZIP opened by user (T1204.002); description explicitly notes writing payload to Windows Startup folder for login execution (T1547.001).
NVD Description
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code…
more
Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith('Pictures'), and does not sanitize '..' sequences. calibre's own ZipFile.extractall() in utils/zipfile.py does sanitize '..' via _get_targetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0.
Deeper analysisAI
CVE-2026-26064 is a path traversal vulnerability (CWE-22) affecting calibre, a cross-platform e-book manager used for viewing, converting, editing, and cataloging e-books. The issue impacts versions 9.2.1 and earlier, stemming from the extract_pictures function, which only checks if paths start with 'Pictures' but fails to sanitize '..' sequences. This allows arbitrary file writes to locations where the user has write permissions. While calibre's custom ZipFile.extractall() in utils/zipfile.py properly sanitizes paths via _get_targetpath(), the extract_pictures function bypasses this protection by manually using zf.read() and open(). The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-20.
An attacker can exploit this vulnerability by supplying a malicious e-book or ZIP file that triggers the extract_pictures function, such as during e-book processing. Exploitation requires low privileges (PR:L), is network-accessible with low complexity and no user interaction beyond opening the file in calibre. Successful attacks enable arbitrary file writes in the user's writable directories. On Windows, this facilitates remote code execution by writing a payload to the Startup folder, which executes upon the next user login.
The GitHub security advisory (GHSA-72ch-3hqc-pgmp) and fixing commit (e1b5f9b45a5e8fa96c136963ad9a1d35e6adac62) confirm the issue was resolved in calibre version 9.3.0 through proper path sanitization in extract_pictures. Security practitioners should advise users to update to 9.3.0 or later and avoid processing untrusted e-books until patched.
Details
- CWE(s)