CVE-2026-30853
Published: 13 March 2026
Summary
CVE-2026-30853 is a medium-severity Path Traversal (CWE-22) vulnerability in Calibre-Ebook Calibre. Its CVSS base score is 5.0 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
Calibre, a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books, suffers from a path traversal vulnerability (CWE-22) in its RocketBook (.rb) input plugin at src/calibre/ebooks/rb/reader.py. This issue affects versions prior to 9.5.0 and enables an attacker to write arbitrary files to any path writable by the calibre process upon a user opening or converting a crafted .rb file.
The attack requires local access (AV:L) with no privileges (PR:N) but relies on user interaction (UI:R), such as deliberately opening or converting a malicious .rb file. Successful exploitation allows limited integrity (I:L) and availability (A:L) impacts within a scoped attack surface (S:C), earning a CVSS 3.1 base score of 5.0.
The vulnerability is remediated in calibre 9.5.0. Additional details are available in the GitHub security advisory at https://github.com/kovidgoyal/calibre/security/advisories/GHSA-7mp7-rfrg-542x. This flaw belongs to the same bug class previously fixed in CVE-2026-26065 for PDB readers, though that patch was not extended to the RB reader.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12069
Vulnerability details
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to 9.5.0, a path traversal vulnerability in the RocketBook (.rb) input plugin (src/calibre/ebooks/rb/reader.py) allows an attacker to write arbitrary files to any path writable by the…
more
calibre process when a user opens or converts a crafted .rb file. This is the same bug class fixed in CVE-2026-26065 for the PDB readers, but the fix was never applied to the RB reader. This vulnerability is fixed in 9.5.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in Calibre's local .rb file parser is triggered by user opening a crafted file, directly enabling client-side exploitation (T1203) and user execution of a malicious file (T1204.002); arbitrary write may support follow-on actions but is not itself a distinct Enterprise technique.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted .rb file paths to block the CWE-22 traversal that writes arbitrary files.
Limits the writable paths available to the calibre process, reducing impact of any successful traversal in the RB reader plugin.
Detects unauthorized file modifications resulting from exploitation of the RB input plugin path traversal.