Calibre, a widely used cross-platform e-book management application, versions 9.2.1 and earlier contain a critical path traversal vulnerability (CVE-2026-26064) in the extract_pictures function. This function attempts to extract image files from e-book archives but only checks if file paths start with 'Pictures' without sanitizing directory traversal sequences such as '..'. This allows an attacker to craft a malicious e-book archive containing files with paths that traverse outside the intended directory, enabling arbitrary file writes anywhere the user has write permissions. On Windows systems, this can be exploited to achieve remote code execution by writing a malicious executable or script to the Startup folder, which runs automatically at the next user login. The vulnerability stems from extract_pictures circumventing calibre's own secure ZipFile.extractall() method, which properly sanitizes paths, by manually reading and writing files using zf.read() and open(), thus bypassing path validation. The flaw requires user interaction to open a malicious e-book but does not require authentication or elevated privileges. The vulnerability was publicly disclosed and fixed in calibre version 9.3.0. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) reflects a critical severity with high impact on confidentiality, integrity, and availability, and low attack complexity. No known exploits have been reported in the wild as of the publication date.

This vulnerability poses a significant risk to users of calibre, especially on Windows platforms where it can lead to remote code execution. Successful exploitation allows attackers to write arbitrary files, potentially implanting malware that executes with the user's privileges. This can result in full system compromise, data theft, persistence mechanisms, and lateral movement within networks. Organizations relying on calibre for e-book management or distribution may face risks of malware infection and data breaches. The requirement for user interaction (opening a malicious e-book) limits automated exploitation but does not eliminate risk, especially in environments where users frequently exchange e-books or download from untrusted sources. The broad write permissions required mean that any directory writable by the user is at risk, increasing the attack surface. The vulnerability undermines the integrity and availability of user systems and can facilitate further attacks.

Organizations and users should immediately upgrade calibre to version 9.3.0 or later, where this vulnerability is patched. Until upgrading, users should avoid opening e-books from untrusted or unknown sources. Implement endpoint protection solutions capable of detecting suspicious file writes to critical directories such as the Startup folder. Employ application whitelisting to prevent unauthorized executables from running at startup. On Windows, monitor and restrict write permissions to sensitive directories to limit exploitation impact. Educate users about the risks of opening files from untrusted sources and encourage cautious behavior. For organizations deploying calibre in managed environments, consider sandboxing or running the application with least privilege to minimize potential damage. Regularly audit systems for unexpected files in startup locations and unusual process executions. Finally, maintain up-to-date backups to recover from potential compromises.