Calibre, a popular cross-platform e-book management software, versions 9.2.1 and earlier contain a critical path traversal vulnerability (CVE-2026-26064) classified under CWE-22. The vulnerability is located in the extract_pictures function, which is responsible for extracting images from e-book archives. Unlike the standard ZipFile.extractall() method in calibre that sanitizes file paths to prevent directory traversal attacks, extract_pictures performs manual extraction by reading zip entries and writing them directly to disk without proper validation. Specifically, it only checks if the filename starts with 'Pictures' but fails to sanitize '..' sequences that can traverse directories. This flaw allows an attacker to craft a malicious e-book archive containing files with paths designed to write arbitrary files anywhere the user has write permissions. On Windows systems, this can be exploited to write a malicious executable or script into the Startup folder, resulting in remote code execution upon the next user login. The vulnerability requires user interaction (opening a malicious e-book) but no prior authentication or elevated privileges. The issue was publicly disclosed and fixed in calibre version 9.3.0. The CVSS 4.0 base score is 9.3, reflecting critical severity due to high impact on confidentiality, integrity, and availability, combined with relatively low attack complexity and no privileges required. No known exploits in the wild have been reported yet, but the potential for impactful attacks is significant given calibre's widespread use.

This vulnerability poses a severe risk to organizations and individual users who utilize vulnerable versions of calibre for e-book management. Successful exploitation can lead to arbitrary file writes, enabling attackers to implant malicious payloads on affected systems. On Windows, this escalates to remote code execution, potentially allowing full system compromise, data theft, or persistence through startup scripts. The impact extends to confidentiality, integrity, and availability of systems. Organizations relying on calibre in enterprise environments, especially those handling sensitive information or operating in regulated sectors, face risks of malware infection, lateral movement, and data breaches. The requirement for user interaction (opening a malicious e-book) somewhat limits mass exploitation but targeted attacks against specific users or organizations remain highly feasible. Additionally, the vulnerability undermines trust in e-book files and digital content distribution channels. The absence of known exploits in the wild suggests an opportunity for proactive mitigation before widespread attacks occur.

The primary mitigation is to upgrade calibre to version 9.3.0 or later, where the vulnerability is patched. Until then, organizations should implement strict file system permissions to limit write access, especially to sensitive directories like the Windows Startup folder. Employ endpoint protection solutions capable of detecting suspicious file writes or execution from startup locations. Educate users to avoid opening e-books from untrusted or unknown sources. Consider sandboxing or running calibre in a restricted environment to contain potential exploitation. Monitor logs for unusual file creation or execution events related to calibre usage. For environments where immediate upgrade is not feasible, disabling the extract_pictures feature or restricting its usage may reduce risk. Regularly review and apply security updates for all software components. Finally, maintain robust backup and incident response plans to recover from potential compromises.