2441261 – (CVE-2026-26065) CVE-2026-26065 calibre: Calibre: Arbitrary file write and code execution via path traversal in PDB readers

Bug 2441261 (CVE-2026-26065) - CVE-2026-26065 calibre: Calibre: Arbitrary file write and code execution via path traversal in PDB readers

Summary: CVE-2026-26065 calibre: Calibre: Arbitrary file write and code execution via ...

Keywords:
Status:	NEW
Alias:	CVE-2026-26065
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2441321
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-20 03:01 UTC by OSIDB Bzimport
Modified:	2026-02-20 11:30 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-20 03:01:37 UTC

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 202-byte header variants) that allow arbitrary file writes with arbitrary extension and arbitrary content anywhere the user has write permissions. Files are written in 'wb' mode, silently overwriting existing files. This can lead to potential code execution and Denial of Service through file corruption. This issue has been fixed in version 9.3.0.

Note You need to log in before you can comment on or make changes to this bug.