Cyber Resilience

CVE-2026-30853

MediumPublic PoC

Published: 13 March 2026

Published
13 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 5.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
EPSS Score 0.0018 7.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-30853 is a medium-severity Path Traversal (CWE-22) vulnerability in Calibre-Ebook Calibre. Its CVSS base score is 5.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

Calibre, a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books, suffers from a path traversal vulnerability (CWE-22) in its RocketBook (.rb) input plugin at src/calibre/ebooks/rb/reader.py. This issue affects versions prior to 9.5.0 and enables an attacker to write arbitrary files to any path writable by the calibre process upon a user opening or converting a crafted .rb file.

The attack requires local access (AV:L) with no privileges (PR:N) but relies on user interaction (UI:R), such as deliberately opening or converting a malicious .rb file. Successful exploitation allows limited integrity (I:L) and availability (A:L) impacts within a scoped attack surface (S:C), earning a CVSS 3.1 base score of 5.0.

The vulnerability is remediated in calibre 9.5.0. Additional details are available in the GitHub security advisory at https://github.com/kovidgoyal/calibre/security/advisories/GHSA-7mp7-rfrg-542x. This flaw belongs to the same bug class previously fixed in CVE-2026-26065 for PDB readers, though that patch was not extended to the RB reader.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to 9.5.0, a path traversal vulnerability in the RocketBook (.rb) input plugin (src/calibre/ebooks/rb/reader.py) allows an attacker to write arbitrary files to any path writable by the…

more

calibre process when a user opens or converts a crafted .rb file. This is the same bug class fixed in CVE-2026-26065 for the PDB readers, but the fix was never applied to the RB reader. This vulnerability is fixed in 9.5.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Path traversal in Calibre's local .rb file parser is triggered by user opening a crafted file, directly enabling client-side exploitation (T1203) and user execution of a malicious file (T1204.002); arbitrary write may support follow-on actions but is not itself a distinct Enterprise technique.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25635Same product: Calibre-Ebook Calibre
CVE-2026-26064Same product: Calibre-Ebook Calibre
CVE-2026-26065Same product: Calibre-Ebook Calibre
CVE-2026-25636Same product: Calibre-Ebook Calibre
CVE-2026-25731Same product: Calibre-Ebook Calibre
CVE-2026-5656Shared CWE-22
CVE-2026-28373Shared CWE-22
CVE-2026-40027Shared CWE-22
CVE-2025-0332Shared CWE-22
CVE-2026-40157Shared CWE-22

Affected Assets

calibre-ebook
calibre
≤ 9.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted .rb file paths to block the CWE-22 traversal that writes arbitrary files.

prevent

Limits the writable paths available to the calibre process, reducing impact of any successful traversal in the RB reader plugin.

detect

Detects unauthorized file modifications resulting from exploitation of the RB input plugin path traversal.

References