CVE-2026-26064

Name of the Vulnerable Software and Affected Versions calibre versions 9.2.1 and below

Description calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. A Path Traversal flaw exists in versions 9.2.1 and below, allowing arbitrary file writes where the user has write permissions. On Windows systems, this can lead to Remote Code Execution by writing a malicious payload to the Startup folder, which is then executed upon the next user login. The extract pictures function only verifies that file names start with 'Pictures' and does not properly sanitize '..' sequences. While calibre's ZipFile.extractall() function in utils/zipfile.py sanitizes '..' using get targetpath(), the extract pictures() function bypasses this protection by using manual zf.read() and open() operations.

Recommendations Update to calibre version 9.3.0 or later.