CVE-2026-25731 identifies a Server-Side Template Injection (SSTI) vulnerability in the Templite templating engine used by calibre, an open-source e-book management software. Prior to version 9.2.0, calibre’s conversion process accepts custom HTML templates via the --template-html or --template-html-index command-line options. Due to improper neutralization of special elements in these templates (CWE-1336), an attacker can craft malicious templates that inject and execute arbitrary code on the host system during ebook conversion. This vulnerability requires local access and user interaction to run the conversion command with the malicious template, but no prior authentication is needed if the attacker has local access. The CVSS 3.1 score of 7.8 reflects high impact on confidentiality, integrity, and availability, with low attack complexity but limited attack vector (local). Exploitation could lead to full system compromise, data theft, or disruption of services relying on calibre. The vulnerability is fixed in calibre 9.2.0 by properly sanitizing template inputs to prevent code injection. No public exploits are currently known, but the risk remains for unpatched systems, especially in environments where calibre is used in automated or multi-user contexts.

For European organizations, this vulnerability poses a significant risk if calibre is used in environments where untrusted users can supply templates or trigger ebook conversions, such as shared servers, automated pipelines, or multi-user workstations. Successful exploitation could lead to arbitrary code execution, resulting in data breaches, system compromise, or service disruption. This is particularly concerning for organizations handling sensitive intellectual property or personal data within ebooks or related workflows. The local attack vector limits remote exploitation, but insider threats or compromised user accounts could leverage this vulnerability. Additionally, organizations using calibre in automated document processing or digital libraries may face operational interruptions. The high confidentiality, integrity, and availability impact means that exploitation could have severe consequences for data protection and business continuity under European data protection regulations like GDPR.

The primary mitigation is to upgrade all calibre installations to version 9.2.0 or later, where the vulnerability is patched. Organizations should audit their usage of the --template-html and --template-html-index options to ensure that only trusted templates are used. Restrict access to systems running calibre to trusted personnel and enforce strict user permissions to prevent unauthorized template injection. Implement monitoring and alerting for unusual or unauthorized execution of calibre conversion commands, especially those involving custom templates. In environments where calibre is integrated into automated workflows, validate and sanitize all template inputs before processing. Consider isolating calibre execution in sandboxed or containerized environments to limit potential damage from exploitation. Finally, educate users about the risks of running calibre with untrusted templates and enforce policies to avoid such practices.