CVE-2026-26065
Published: 20 February 2026
Summary
CVE-2026-26065 is a high-severity Path Traversal (CWE-22) vulnerability in Calibre-Ebook Calibre. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the path traversal vulnerability in calibre's PDB readers by requiring timely patching to version 9.3.0 or later.
Requires validation of PDB file inputs and paths to block traversal sequences enabling arbitrary file writes and overwrites.
Enforces least privilege on the calibre process to restrict write permissions, limiting the locations and impact of arbitrary file overwrites.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables direct arbitrary file write (any location/extension/content/binary overwrite) which maps to T1105 for payload/tool placement. Trigger requires user to open malicious PDB file (normal app use, no extra interaction) mapping to T1204.002. Overwrite capability directly supports stored data/file manipulation (T1565.001) and can achieve code execution/DoS via critical file replacement.
NVD Description
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 202-byte header variants) that allow arbitrary file writes with arbitrary extension and…
more
arbitrary content anywhere the user has write permissions. Files are written in 'wb' mode, silently overwriting existing files. This can lead to potential code execution and Denial of Service through file corruption. This issue has been fixed in version 9.3.0.
Deeper analysisAI
CVE-2026-26065 is a path traversal vulnerability (CWE-22) in the PDB readers of calibre, a cross-platform e-book manager used for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are affected, specifically both 132-byte and 202-byte header variants in the PDB readers. This flaw enables arbitrary file writes with arbitrary extensions and content to any location where the user has write permissions, with files written in binary ('wb') mode that silently overwrites existing files. Published on 2026-02-20, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability can be exploited by an attacker with low privileges (PR:L) over the network (AV:N) with low attack complexity and no user interaction beyond normal application use. Exploitation allows arbitrary file writes, enabling high confidentiality, integrity, and availability impacts, such as potential code execution by overwriting critical files like executables and denial of service through file corruption.
The issue has been addressed in calibre version 9.3.0. Security practitioners should recommend immediate upgrades to this version or later. Additional details are available in the GitHub security advisory at https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vmfh-7mr7-pp2w and the fixing commit at https://github.com/kovidgoyal/calibre/commit/b6da1c3878c06eb1356cb0ec1106cb66e0e9bfb8.
Details
- CWE(s)