Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
calibre allows attackers to write files anywhere on your computer
CVE-2026-26064
Summary
Old versions of calibre can allow attackers to write files to any location on your computer, potentially leading to malware installation on Windows. This is a security risk because attackers can use this to take control of your computer. To fix this, update calibre to version 9.3.0 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| calibre-ebook | calibre | <= 9.3.0 | – |
Original title
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file write...
Original description
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extract_pictures only checks startswith('Pictures'), and does not sanitize '..' sequences. calibre's own ZipFile.extractall() in utils/zipfile.py does sanitize '..' via _get_targetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0.
nvd CVSS3.1
8.8
nvd CVSS4.0
9.3
Vulnerability type
CWE-22
Path Traversal
Published: 20 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026