PT-2026-22385 · Calibre · Calibre
Dxleryt
·
Published
2026-01-01
·
Updated
2026-04-21
·
CVE-2026-27824
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
calibre versions prior to 9.4.0
Description
calibre is an e-book manager used for viewing, converting, editing, and cataloging e-books. The Content Server’s brute-force protection mechanism relies on a ban key derived from both the
remote addr and the X-Forwarded-For header. The X-Forwarded-For header is directly read from HTTP requests without validation or trusted-proxy configuration. This allows attackers to bypass IP-based bans by modifying or adding to the X-Forwarded-For header, effectively disabling the brute-force protection. This poses a risk to servers exposed to the internet, as brute-force protection is a primary defense against credential stuffing and password guessing attacks.Recommendations
Update to calibre version 9.4.0 or later.
Exploit
Fix
Origin Validation Error
Improper Restriction of Excessive Authentication Attempts
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Calibre