CVE-2026-27810 is a medium-severity vulnerability classified under CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers), specifically an HTTP Response Header Injection in the calibre Content Server. calibre is a widely used cross-platform e-book management tool that includes a Content Server for remote access to e-books. Prior to version 9.4.0, the Content Server improperly sanitizes the 'content_disposition' query parameter in the '/get/' and '/data-files/get/' endpoints. This parameter is vulnerable to injection of CRLF (carriage return and line feed) sequences, enabling an attacker with authenticated access to inject arbitrary HTTP headers into server responses. This can lead to HTTP response splitting attacks, which may allow session fixation, web cache poisoning, cross-site scripting (XSS), or other malicious manipulations of HTTP responses. The vulnerability requires the attacker to be authenticated, but no additional user interaction is necessary, although an attacker can also trick authenticated users into clicking malicious links to trigger the exploit. The flaw affects all versions of calibre Content Server before 9.4.0, which contains the patch. No known exploits are currently reported in the wild. The CVSS v3.1 score is 6.4, reflecting network attack vector, low complexity, required privileges, no user interaction, and partial confidentiality and integrity impacts with no availability impact. This vulnerability highlights the importance of proper input validation and output encoding for HTTP headers in web services.

The vulnerability allows attackers with authenticated access to inject arbitrary HTTP headers, enabling HTTP response splitting attacks. This can compromise confidentiality by hijacking user sessions or stealing sensitive information through manipulated responses. Integrity may be affected by altering server responses, potentially leading to web cache poisoning or cross-site scripting attacks. Although availability is not directly impacted, the manipulation of HTTP headers can degrade user trust and service reliability. Organizations using calibre Content Server in environments where multiple users authenticate remotely are at risk of internal threat actors or compromised accounts exploiting this flaw. The ability to trick authenticated users into clicking crafted links increases the attack surface, potentially enabling phishing or social engineering attacks that leverage this vulnerability. The medium severity score reflects the need for authentication but also the significant impact on confidentiality and integrity. Failure to patch could lead to exploitation in environments where calibre is used for e-book distribution, including educational institutions, libraries, and enterprises managing digital content.

1. Upgrade all calibre Content Server instances to version 9.4.0 or later, which contains the fix for this vulnerability. 2. If immediate upgrade is not possible, restrict access to the Content Server to trusted networks and users only, minimizing exposure to authenticated attackers. 3. Implement strict input validation and sanitization on the 'content_disposition' parameter at the application or proxy level to prevent CRLF injection. 4. Employ web application firewalls (WAFs) with rules to detect and block HTTP response splitting attempts targeting the affected endpoints. 5. Educate users about the risks of clicking unsolicited or suspicious links, especially when authenticated to the Content Server. 6. Monitor server logs for unusual or malformed HTTP header injection attempts and investigate any anomalies promptly. 7. Consider implementing multi-factor authentication (MFA) to reduce the risk of compromised credentials enabling exploitation. 8. Review and limit privileges of users who can authenticate to the Content Server to reduce potential attack vectors.