PT-2026-53655 · Kovid Goyal+1 · Calibre

Hyuunnn

·

Published

2026-06-27

·

Updated

2026-07-07

·

CVE-2026-53511

CVSS v4.0

8.5

High

VectorAV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions calibre versions prior to 9.10.0
Description A flaw exists where reading metadata from a malicious EPUB, OPF, or PDF file allows the execution of arbitrary Python code. This occurs when a custom column definition containing a python: template is embedded within calibre:user metadata and subsequently passed unsanitized to the exec() function in the template formatter. This can be triggered through actions such as Add books or Edit books.
Recommendations Update to version 9.10.0.

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-53511
OPENSUSE-SU-2026:11130-1

Affected Products

Calibre