Bug 2437730 (CVE-2026-25636)

Summary: CVE-2026-25636 calibre: Calibre: Arbitrary file corruption via path traversal in EPUB conversion
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Calibre, an e-book manager. This path traversal vulnerability allows a malicious EPUB (electronic publication) file to corrupt arbitrary files on the system that the Calibre process has write access to. During EPUB conversion, Calibre incorrectly resolves file paths, enabling an attacker to write to locations outside the intended conversion directory. This can lead to significant data integrity issues and potential denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2437956, 2437960    
Bug Blocks:    

Description OSIDB Bzimport 2026-02-09 11:02:45 UTC 
calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0.