Calibre, a widely used cross-platform e-book management software, versions 9.2.1 and earlier contain a critical path traversal vulnerability identified as CVE-2026-26065 (CWE-22). The flaw exists in the handling of PDB readers for both 132-byte and 202-byte header variants, where the software fails to properly restrict pathname inputs. This allows an attacker to craft malicious e-book files that cause calibre to write arbitrary files to any location where the user has write permissions. The files are written in binary mode ('wb'), silently overwriting existing files without validation. This arbitrary file write capability can be leveraged to execute malicious code if executable files are overwritten or created, or to cause denial of service by corrupting important files. Exploitation requires user interaction (opening or processing a malicious e-book) but no prior authentication or elevated privileges. The vulnerability has a CVSS 4.0 score of 9.3, indicating critical severity with high impact on confidentiality, integrity, and availability. The issue was publicly disclosed on February 20, 2026, and fixed in calibre version 9.3.0. No known exploits have been reported in the wild as of now.

The vulnerability poses a significant risk to organizations and individuals using calibre for e-book management. Successful exploitation can lead to arbitrary code execution, allowing attackers to run malicious payloads with the privileges of the user running calibre. This can result in full system compromise, data theft, or lateral movement within networks. Additionally, denial of service can be induced by corrupting critical files, disrupting business operations. Since calibre is cross-platform and popular among users managing large e-book libraries, the attack surface is broad. The requirement for user interaction limits remote exploitation but social engineering or malicious e-book distribution campaigns could increase risk. The silent overwrite behavior exacerbates impact by potentially destroying important files without warning. Organizations relying on calibre in enterprise or educational environments may face operational disruptions and security breaches if unpatched.

The primary mitigation is to upgrade calibre to version 9.3.0 or later, where the vulnerability is fixed. Until upgrade is possible, organizations should implement strict controls on e-book file sources, avoiding untrusted or unknown files. Employ endpoint protection solutions capable of detecting anomalous file writes or suspicious behaviour related to calibre processes. Restrict user write permissions on critical directories to limit the scope of arbitrary file writes. Educate users about the risks of opening e-books from unverified sources to reduce the likelihood of social engineering exploitation. Monitor file system changes and application logs for unusual activity indicative of exploitation attempts. Consider sandboxing or running calibre with least privilege to contain potential damage. Regularly review and apply security updates for all software components.