Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
calibre Content Server's Brute-Force Protection Can Be Bypassed
CVE-2026-27824
Summary
calibre's Content Server, used to manage e-books, has a security weakness that can be exploited by hackers to bypass its protection against repeated login attempts. This makes it easier for attackers to guess passwords. Update to version 9.4.0 or later to fix the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| calibre-ebook | calibre | <= 9.4.0 | – |
Original title
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban...
Original description
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban key derived from both `remote_addr` and the `X-Forwarded-For` header. Since the `X-Forwarded-For` header is read directly from the HTTP request without any validation or trusted-proxy configuration, an attacker can bypass IP-based bans by simply changing or adding this header, rendering the brute-force protection completely ineffective. This is particularly dangerous for calibre servers exposed to the internet, where brute-force protection is the primary defense against credential stuffing and password guessing attacks. Version 9.4.0 contains a fix for the issue.
nvd CVSS3.1
5.3
Vulnerability type
CWE-307
CWE-346
- https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vhxc-r7v8-2xrw Exploit Vendor Advisory
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026