CVE-2026-27810 is a medium-severity vulnerability classified under CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers) affecting the calibre e-book manager's Content Server component prior to version 9.4.0. The vulnerability exists because the Content Server fails to properly sanitize the content_disposition query parameter in the /get/ and /data-files/get/ HTTP endpoints. This allows an authenticated attacker to inject arbitrary HTTP headers into server responses by including CRLF (carriage return and line feed) sequences in the parameter. Such injection leads to HTTP Response Splitting attacks, where the attacker can manipulate how the server constructs HTTP responses, potentially causing cache poisoning, cross-site scripting (XSS), or session fixation attacks. Exploitation requires the attacker to be authenticated to the Content Server, but no additional user interaction is necessary. Alternatively, an attacker can trick an authenticated user into clicking a maliciously crafted URL to trigger the vulnerability. The vulnerability impacts confidentiality and integrity by enabling header manipulation but does not affect availability. The issue was fixed in calibre version 9.4.0 by properly sanitizing the content_disposition parameter to neutralize CRLF sequences. The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, required privileges (authenticated user), no user interaction, and partial confidentiality and integrity impacts. No public exploits have been reported so far.

Organizations running the calibre Content Server with authentication enabled and using versions prior to 9.4.0 are at risk. An attacker with valid credentials can manipulate HTTP response headers, potentially leading to session fixation, cache poisoning, or cross-site scripting attacks against users of the Content Server. This can compromise user confidentiality and data integrity, particularly in environments where sensitive e-book content or user data is served. The ability to exploit via crafted links increases risk by enabling social engineering attacks targeting authenticated users. While availability is not impacted, the manipulation of HTTP headers can undermine trust in the server responses and facilitate further attacks. Organizations relying on calibre Content Server for internal or external e-book distribution should consider this a moderate risk, especially if authentication credentials are weak or easily compromised. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as public disclosure may prompt attackers to develop exploits.

The primary mitigation is to upgrade all calibre Content Server instances to version 9.4.0 or later, where the vulnerability is fixed by proper sanitization of the content_disposition parameter. Until upgrade is possible, organizations should restrict access to the Content Server to trusted users only and enforce strong authentication mechanisms to reduce the risk of credential compromise. Monitoring and logging HTTP requests to the /get/ and /data-files/get/ endpoints for suspicious or malformed content_disposition parameters can help detect attempted exploitation. Implementing web application firewalls (WAFs) with rules to detect and block CRLF injection attempts in HTTP headers may provide temporary protection. Educating users about the risks of clicking untrusted links, especially when authenticated to the Content Server, can reduce social engineering exploitation. Finally, organizations should review and harden their HTTP response header configurations to minimize the impact of any injection.