Bug 2437936 (CVE-2026-25635)

Summary: CVE-2026-25635 calibre: Calibre: Remote Code Execution via path traversal in CHM reader
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Calibre's CHM reader. This path traversal vulnerability allows an attacker to write arbitrary files to locations where the user has write permissions. On Windows systems, this could lead to remote code execution by placing a malicious file in the Startup folder, which would then execute upon the user's next login. This vulnerability primarily results in arbitrary code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2437955, 2437958    
Bug Blocks:    

Description OSIDB Bzimport 2026-02-09 11:14:56 UTC 
calibre is an e-book manager. Prior to 9.2.0, Calibre's CHM reader contains a path traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows (haven't tested on other OS's), this can lead to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. This vulnerability is fixed in 9.2.0.