PT-2026-6790 · Calibre · Calibre

Dxleryt

Published

2026-02-06

Updated

2026-04-21

CVE-2026-25731

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions calibre versions prior to 9.2.0

Description calibre is an e-book manager. A Server-Side Template Injection (SSTI) vulnerability exists in calibre’s Templite templating engine. This allows for arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. Server-Side Template Injection (SSTI) is a flaw that allows an attacker to inject malicious code into a template engine, potentially leading to unauthorized access or control of the system.

Recommendations Update to calibre version 9.2.0 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1336

Related Identifiers

CVE-2026-25731

GHSA-XRH9-W7QX-3GCC

OPENSUSE-SU-2026:10587-1

Affected Products

Calibre

PT-2026-6790 · Calibre · Calibre

CVE-2026-25731

Weakness Enumeration

Related Identifiers

Affected Products

References · 26