Calibre, a widely used cross-platform e-book management tool, suffers from a critical path traversal vulnerability identified as CVE-2026-26065, classified under CWE-22. This vulnerability affects versions prior to 9.3.0 and is rooted in the PDB (Program Database) reader components handling both 132-byte and 202-byte header variants. The flaw allows an attacker to craft malicious e-book files that exploit improper pathname validation, enabling arbitrary file writes to any location where the user has write permissions. Files are written in binary mode ('wb'), silently overwriting existing files without warning, which can corrupt important files or introduce malicious code. The attack vector requires user interaction (e.g., opening a malicious e-book) but does not require authentication or elevated privileges. Successful exploitation can lead to remote code execution if the attacker can place executable files or scripts in sensitive locations, or cause denial of service by corrupting critical files. The vulnerability has a CVSS 4.0 base score of 9.3, indicating critical severity with high impact on confidentiality, integrity, and availability. The issue was addressed and fixed in calibre version 9.3.0, and no public exploits have been reported to date.

The impact of CVE-2026-26065 is significant for organizations and individual users relying on calibre for e-book management. Exploitation can lead to arbitrary code execution, allowing attackers to run malicious code in the context of the affected user, potentially leading to system compromise, data theft, or lateral movement within a network. Denial of service can be induced by overwriting or corrupting important files, disrupting user operations. Because calibre is cross-platform, the threat spans Windows, macOS, and Linux environments, increasing the scope of affected systems. Organizations using calibre in corporate environments or for digital content distribution may face risks of targeted attacks or supply chain compromise. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments where users frequently open untrusted e-book files. The lack of authentication requirement further lowers the barrier for attackers. The silent overwrite behavior exacerbates the risk by making detection difficult until damage is done.

To mitigate CVE-2026-26065, organizations and users should immediately upgrade calibre to version 9.3.0 or later, where the vulnerability is patched. Until upgrade, users should avoid opening e-books from untrusted or unknown sources, especially those that may contain PDB reader components. Implement endpoint security controls such as application whitelisting and behavior monitoring to detect suspicious file writes or modifications. Employ file integrity monitoring on critical directories to alert on unexpected changes. Restrict user write permissions where possible to limit the locations where arbitrary files can be written. Educate users about the risks of opening unverified e-book files and encourage cautious handling of digital content. Network segmentation and least privilege principles can reduce the impact of potential exploitation. Finally, monitor threat intelligence feeds for any emerging exploit attempts targeting this vulnerability.