CVE-2026-27810

Name of the Vulnerable Software and Affected Versions calibre versions prior to 9.4.0

Description calibre is an e-book manager for viewing, converting, editing, and cataloging e-books. A HTTP Response Header Injection exists in the calibre Content Server for versions before 9.4.0. An authenticated user can inject arbitrary HTTP headers into server responses through an unsanitized content disposition query parameter. This occurs in the /get/ and /data-files/get/ API endpoints. The issue is exploitable by any authenticated user, potentially through a crafted link. All users running the calibre Content Server with authentication enabled are affected.

Recommendations Update to calibre version 9.4.0 or later.