Product Overview
Product: Calibre
Category: E-book management and conversion software
Platforms: Windows, macOS, Linux
Affected Scope: Versions prior to 9.2.0
Patched Version: 9.2.0 and later
Calibre is widely used to convert and manage e-book formats such as EPUB, MOBI, AZW, PDF, and CHM. Due to its ability to process complex archive-based formats, improper handling of file paths during extraction and conversion introduced multiple path traversal vulnerabilities.
Vulnerability Summary Table
| CVE ID | Vulnerability Type | CVSS Score | Severity | Impact | Exploitability | Exploit Availability |
|---|---|---|---|---|---|---|
| CVE-2026-25635 | Path Traversal | 8.6 | High | Arbitrary file write → RCE (Windows) | Low complexity, user interaction required | Proof-of-concept available (educational/research use) |
| CVE-2026-25636 | Path Traversal | 8.2 | High | Arbitrary file overwrite → File corruption | Low complexity, user interaction required | No weaponized exploit observed |
CVE-2026-25635 – Path Traversal Leading to Arbitrary File Write and RCE (Windows)
Description
A path traversal vulnerability was identified in Calibre’s CHM (Compiled HTML Help) processing logic. During conversion, internal CHM file paths were insufficiently sanitized. While absolute paths were partially restricted, relative traversal sequences such as .. were not fully resolved or neutralized.
As a result, files embedded inside a malicious CHM archive could be written outside the intended temporary extraction directory.
Impact
On Windows systems, this issue could be leveraged to write files into sensitive user-writable locations such as:
- Startup folders
- User profile directories
- Application data paths
If a script, batch file, or shortcut were written into a Startup directory, code execution would occur automatically during the next user logon. Execution would occur with the privileges of the affected user.
Exploitation Details
The following exploitation flow has been demonstrated in controlled environments:
- A CHM file is crafted with embedded file entries containing traversal paths.
- The victim opens or converts the file using Calibre.
- Calibre writes attacker-controlled files outside the extraction directory.
- A malicious payload placed in an auto-start location executes on user logon.
Exploitation requires user interaction but no elevated privileges.
Proof of Concept Status
A functional proof of concept has been released publicly for educational and defensive testing purposes. The PoC demonstrates reliable file placement into Windows Startup directories when processed by vulnerable versions of Calibre. No evidence of mass exploitation has been observed.
MITRE Classification
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory
- ATT&CK Techniques:
- T1204.002 – User Execution: Malicious File
- T1547.001 – Boot or Logon Autostart Execution (Startup Folder)
CVE-2026-25636 – Path Traversal Resulting in Arbitrary File Overwrite
Description
A second path traversal vulnerability exists in Calibre’s EPUB conversion workflow, specifically in handling font obfuscation metadata defined in META-INF/encryption.xml.
During processing, Calibre resolved file paths referenced by encryption metadata without validating whether the resolved path remained inside the EPUB extraction directory. This allowed absolute or traversal-based paths to be opened and modified.
Impact
This vulnerability enables:
- Arbitrary file overwrite
- Silent corruption of user files
- Potential destabilization of applications or data integrity
While direct remote code execution was not demonstrated, overwriting configuration or script files could be chained with other weaknesses in certain environments.
Exploitation Details
The vulnerability can be triggered as follows:
- A malicious EPUB is crafted with manipulated encryption metadata.
- The file is converted or opened in Calibre.
- Calibre opens and modifies a file outside the EPUB directory.
- Targeted files become corrupted or overwritten.
User interaction is required, and exploitation is limited by filesystem permissions.
Proof of Concept Status
No standalone exploit code has been widely published. Technical details confirm exploit feasibility, but observed use remains limited to testing and disclosure contexts.
MITRE Classification
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory
Detection and Monitoring
Log Sources to Monitor
- Windows Security Event Logs
- Sysmon (File creation and process execution events)
- Endpoint Detection and Response (EDR) telemetry
- File integrity monitoring tools
Detection Queries
Windows Event Log (File Creation – Startup Folder)
EventID:4663
ObjectName:*\Microsoft\Windows\Start Menu\Programs\Startup\*
ProcessName:*calibre*
Sysmon – File Creation Outside Expected Directories
EventID=11
Image IN ("calibre.exe","ebook-convert.exe","calibre-portable.exe")
TargetFilename NOT LIKE "%Calibre Library%"
AND TargetFilename NOT LIKE "%Temp%"
Microsoft Defender Advanced Hunting (KQL)
DeviceFileEvents
| where InitiatingProcessFileName in ("calibre.exe","ebook-convert.exe")
| where FolderPath contains @"\Startup\"
Splunk Query Example
index=windows_logs
(Process_Name="calibre.exe" OR Process_Name="ebook-convert.exe")
Target_File_Path="*\\Startup\\*"
Behavioral Indicators
- File creation in Startup directories immediately after ebook conversion
- Calibre writing executable or script files
- Unexpected persistence artifacts linked to Calibre processes
- User reports of corrupted files following EPUB conversions
Mitigation and Remediation
- Upgrade all installations of Calibre to version 9.2.0 or later
- Restrict ebook conversion from untrusted sources
- Apply endpoint protections to prevent unauthorized Startup folder writes
- Monitor ebook conversion utilities in high-risk environments
- Run Calibre with least-privilege user accounts where feasible
Official Patch / Upgrade Link
Calibre Official Downloads and Release Notes:
https://calibre-ebook.com/whats-new
