CVE-2026-27824

Name of the Vulnerable Software and Affected Versions calibre versions prior to 9.4.0

Description calibre is an e-book manager used for viewing, converting, editing, and cataloging e-books. The Content Server’s brute-force protection mechanism relies on a ban key derived from both the remote addr and the X-Forwarded-For header. The X-Forwarded-For header is directly read from HTTP requests without validation or trusted-proxy configuration. This allows attackers to bypass IP-based bans by modifying or adding to the X-Forwarded-For header, effectively disabling the brute-force protection. This poses a risk to servers exposed to the internet, as brute-force protection is a primary defense against credential stuffing and password guessing attacks.

Recommendations Update to calibre version 9.4.0 or later.