{"id":"UBUNTU-CVE-2026-26065","details":"calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable to Path Traversal through PDB readers (both 132-byte and 202-byte header variants) that allow arbitrary file writes with arbitrary extension and arbitrary content anywhere the user has write permissions. Files are written in 'wb' mode, silently overwriting existing files. This can lead to potential code execution and Denial of Service through file corruption. This issue has been fixed in version 9.3.0.","modified":"2026-02-27T09:59:13Z","published":"2026-02-20T02:16:00Z","upstream":["CVE-2026-26065"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-26065"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2026-26065"},{"type":"REPORT","url":"https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vmfh-7mr7-pp2w"},{"type":"REPORT","url":"https://github.com/kovidgoyal/calibre/commit/b6da1c3878c06eb1356cb0ec1106cb66e0e9bfb8"}],"affected":[{"package":{"name":"calibre","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/calibre@2.55.0+dfsg-1ubuntu0.2?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.33.0+dfsg-1build1","2.38.0+dfsg-1","2.45.0+dfsg-1","2.45.0+dfsg-1build1","2.48.0+dfsg-1","2.48.0+dfsg-1build1","2.54.0+dfsg-1","2.55.0+dfsg-1","2.55.0+dfsg-1ubuntu0.2"],"ecosystem_specific":{"binaries":[{"binary_version":"2.55.0+dfsg-1ubuntu0.2","binary_name":"calibre"},{"binary_version":"2.55.0+dfsg-1ubuntu0.2","binary_name":"calibre-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26065.json"}},{"package":{"name":"calibre","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/calibre@3.21.0+dfsg-1build1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.7.0+dfsg-2","3.7.0+dfsg-2build1","3.12.0+dfsg-1","3.13.0+dfsg-1","3.14.0+dfsg-1","3.15.0.1+dfsg-1","3.16.0+dfsg-1","3.16.0+dfsg-1build1","3.17.0+dfsg-1","3.17.0+dfsg-2","3.18.0+dfsg-1build1","3.19.0+dfsg-1","3.20.0+dfsg-1","3.21.0+dfsg-1","3.21.0+dfsg-1build1"],"ecosystem_specific":{"binaries":[{"binary_version":"3.21.0+dfsg-1build1","binary_name":"calibre"},{"binary_version":"3.21.0+dfsg-1build1","binary_name":"calibre-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26065.json"}},{"package":{"name":"calibre","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/calibre@4.99.4+dfsg+really4.12.0-1ubuntu1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.46.0+dfsg-1","4.2.0+dfsg-2","4.3.0+dfsg-1","4.3.0+dfsg-2","4.4.0+dfsg-1","4.5.0+dfsg-1","4.5.0+dfsg-2","4.5.0+dfsg-3","4.6.0+dfsg-1","4.7.0+dfsg-1","4.99.3+dfsg-2","4.99.4+dfsg-1","4.99.4+dfsg-1build1","4.99.4+dfsg+really4.10.0+py3-2","4.99.4+dfsg+really4.11.2-1","4.99.4+dfsg+really4.11.2-1build1","4.99.4+dfsg+really4.12.0-1","4.99.4+dfsg+really4.12.0-1build1","4.99.4+dfsg+really4.12.0-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"4.99.4+dfsg+really4.12.0-1ubuntu1","binary_name":"calibre"},{"binary_version":"4.99.4+dfsg+really4.12.0-1ubuntu1","binary_name":"calibre-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26065.json"}},{"package":{"name":"calibre","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/calibre@5.37.0+dfsg-1build1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["5.25.0+dfsg-2","5.33.2+dfsg-1","5.34.0+dfsg-1","5.35.0+dfsg-1ubuntu2","5.37.0+dfsg-1","5.37.0+dfsg-1build1"],"ecosystem_specific":{"binaries":[{"binary_version":"5.37.0+dfsg-1build1","binary_name":"calibre"},{"binary_version":"5.37.0+dfsg-1build1","binary_name":"calibre-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26065.json"}},{"package":{"name":"calibre","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/calibre@7.6.0+ds-1build1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["6.24.0+ds-1","6.29.0+ds-1","7.0.0+ds-1","7.1.0+ds-1","7.1.0+ds-2","7.2.0+ds-1","7.2.0+ds-1build1","7.3.0+ds-1","7.4.0+ds-1","7.5.1+ds-1","7.5.1+ds-2","7.5.1+ds-3","7.6.0+ds-1","7.6.0+ds-1build1"],"ecosystem_specific":{"binaries":[{"binary_version":"7.6.0+ds-1build1","binary_name":"calibre"},{"binary_version":"7.6.0+ds-1build1","binary_name":"calibre-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26065.json"}},{"package":{"name":"calibre","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/calibre@8.8.0+ds-3build1?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["7.26.0+ds-4build1","8.3.0+ds-1","8.4.0+ds-1","8.5.0+ds-1","8.6.0+ds-1","8.7.0+ds-1","8.8.0+ds-2","8.8.0+ds-3","8.8.0+ds-3build1"],"ecosystem_specific":{"binaries":[{"binary_version":"8.8.0+ds-3build1","binary_name":"calibre"},{"binary_version":"8.8.0+ds-3build1","binary_name":"calibre-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26065.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}