CVE-2026-25636 is a path traversal vulnerability identified in the calibre e-book management software, specifically in versions 9.1.0 and earlier. The flaw occurs during the EPUB conversion process, where calibre processes the CipherReference URI found in the META-INF/encryption.xml file of an EPUB archive. Instead of restricting file operations to the conversion extraction directory, calibre resolves this URI to an absolute filesystem path and opens the referenced file in read-write mode. This improper limitation of pathname allows a crafted EPUB file to reference files outside the intended directory, enabling an attacker to overwrite or corrupt arbitrary files writable by the calibre process. The vulnerability is classified under CWE-22 (Path Traversal), CWE-73 (External Control of File Name or Path), and CWE-94 (Improper Control of Generation of Code). Exploitation requires user interaction, specifically the user initiating the conversion of a malicious EPUB file. No privileges are required to trigger the vulnerability, but the attack surface is limited to users who process untrusted EPUB content. The vulnerability impacts the integrity and availability of files on the host system, as arbitrary files can be corrupted or overwritten. The issue was addressed and fixed in calibre version 9.2.0. There are no known exploits in the wild at the time of publication, but the CVSS v3.1 score of 8.2 reflects the high potential impact and relatively low attack complexity.

For European organizations, the impact of CVE-2026-25636 can be significant, particularly for those that rely on calibre for managing or converting e-books, such as libraries, educational institutions, publishers, and digital content distributors. Successful exploitation can lead to corruption or loss of critical files accessible by the calibre process, potentially disrupting workflows, causing data loss, or damaging system integrity. Since calibre is often run with user-level permissions, the scope of damage is limited to files writable by that user, but this can still include important documents or configuration files. Additionally, if calibre is integrated into automated content processing pipelines, the vulnerability could be exploited to disrupt operations or introduce malicious modifications. The requirement for user interaction limits mass exploitation but targeted attacks against specific users or organizations remain a concern. The vulnerability does not directly compromise confidentiality but can degrade system availability and integrity, impacting business continuity and trust in digital content management.

European organizations should immediately upgrade all calibre installations to version 9.2.0 or later, where the vulnerability is fixed. Until upgrades are completed, restrict calibre’s file system permissions to limit writable directories strictly to those necessary for operation, preventing unauthorized file modifications outside the intended scope. Implement application whitelisting and sandboxing to isolate calibre processes and reduce the risk of arbitrary file corruption. Educate users to avoid converting EPUB files from untrusted or unknown sources, as exploitation requires user-initiated conversion of malicious files. Monitor file integrity in directories used by calibre for unexpected changes, and employ endpoint detection and response (EDR) tools to detect suspicious file operations. For organizations using automated EPUB processing, validate input files rigorously and consider additional scanning for malicious content before conversion. Maintain up-to-date backups of critical data to enable recovery in case of file corruption.