Cyber Posture

CVE-2026-30853

MediumPublic PoC

Published: 13 March 2026

Published
13 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score 5.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
EPSS Score 0.0003 7.5th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30853 is a medium-severity Path Traversal (CWE-22) vulnerability in Calibre-Ebook Calibre. Its CVSS base score is 5.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 7.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation
addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

Path traversal in Calibre's local .rb file parser is triggered by user opening a crafted file, directly enabling client-side exploitation (T1203) and user execution of a malicious file (T1204.002); arbitrary write may support follow-on actions but is not itself a distinct Enterprise technique.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to 9.5.0, a path traversal vulnerability in the RocketBook (.rb) input plugin (src/calibre/ebooks/rb/reader.py) allows an attacker to write arbitrary files to any path writable by the…

more

calibre process when a user opens or converts a crafted .rb file. This is the same bug class fixed in CVE-2026-26065 for the PDB readers, but the fix was never applied to the RB reader. This vulnerability is fixed in 9.5.0.

Deeper analysisAI

Calibre, a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books, suffers from a path traversal vulnerability (CWE-22) in its RocketBook (.rb) input plugin at src/calibre/ebooks/rb/reader.py. This issue affects versions prior to 9.5.0 and enables an attacker to write arbitrary files to any path writable by the calibre process upon a user opening or converting a crafted .rb file.

The attack requires local access (AV:L) with no privileges (PR:N) but relies on user interaction (UI:R), such as deliberately opening or converting a malicious .rb file. Successful exploitation allows limited integrity (I:L) and availability (A:L) impacts within a scoped attack surface (S:C), earning a CVSS 3.1 base score of 5.0.

The vulnerability is remediated in calibre 9.5.0. Additional details are available in the GitHub security advisory at https://github.com/kovidgoyal/calibre/security/advisories/GHSA-7mp7-rfrg-542x. This flaw belongs to the same bug class previously fixed in CVE-2026-26065 for PDB readers, though that patch was not extended to the RB reader.

Details

CWE(s)
CWE-22

Affected Products

calibre-ebook
calibre
≤ 9.5.0

CVEs Like This One

CVE-2026-25635Same product: Calibre-Ebook Calibre
CVE-2026-26064Same product: Calibre-Ebook Calibre
CVE-2026-26065Same product: Calibre-Ebook Calibre
CVE-2026-25636Same product: Calibre-Ebook Calibre
CVE-2026-25731Same product: Calibre-Ebook Calibre
CVE-2025-10284Shared CWE-22
CVE-2026-40157Shared CWE-22
CVE-2025-0332Shared CWE-22
CVE-2026-40027Shared CWE-22
CVE-2026-5656Shared CWE-22

References