CVE-2026-30853: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in kovidgoyal calibre
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to 9.5.0, a path traversal vulnerability in the RocketBook (.rb) input plugin (src/calibre/ebooks/rb/reader.py) allows an attacker to write arbitrary files to any path writable by the calibre process when a user opens or converts a crafted .rb file. This is the same bug class fixed in CVE-2026-26065 for the PDB readers, but the fix was never applied to the RB reader. This vulnerability is fixed in 9.5.0.
AI Analysis
Technical Summary
Calibre is a widely used cross-platform e-book management software that supports viewing, converting, editing, and cataloging e-books. In versions prior to 9.5.0, the RocketBook (.rb) input plugin contains a path traversal vulnerability (CWE-22) in the file reader.py. This vulnerability allows an attacker to craft a malicious .rb file that, when opened or converted by the user, causes calibre to write arbitrary files to any path writable by the calibre process. The root cause is improper validation and limitation of file pathnames, enabling directory traversal outside intended directories. This bug is analogous to CVE-2026-26065, which affected the PDB reader plugin but was fixed there; however, the fix was not applied to the RB reader, leaving it vulnerable. Exploitation requires user interaction and local access to the application, as the attacker must trick the user into opening or converting the malicious file. The vulnerability impacts integrity and availability by allowing unauthorized file writes, potentially leading to code execution or denial of service. The issue is resolved in calibre 9.5.0. No known public exploits have been reported to date.
Potential Impact
The vulnerability allows attackers to write arbitrary files to any location writable by the calibre process, which can lead to unauthorized modification or replacement of files, potentially enabling code execution or disruption of normal operations. For organizations relying on calibre for e-book management, this could compromise system integrity or availability, especially if calibre runs with elevated privileges or on shared systems. The requirement for user interaction and local access limits remote exploitation but does not eliminate risk, particularly in environments where users might open untrusted e-books. Attackers could leverage this to implant malicious payloads or disrupt workflows. The medium CVSS score reflects moderate risk, but the impact could be severe if exploited in sensitive environments.
Mitigation Recommendations
Organizations and users should upgrade calibre to version 9.5.0 or later, where this vulnerability is fixed. Until upgrading, users should avoid opening or converting untrusted or suspicious .rb files. Running calibre with the least privileges necessary can limit the impact of exploitation by restricting writable paths. Implementing application whitelisting and endpoint protection can help detect and prevent unauthorized file modifications. Additionally, educating users about the risks of opening untrusted e-book files can reduce the likelihood of exploitation. Monitoring file system changes in directories accessible by calibre may help detect suspicious activity. Developers should review other input plugins for similar path traversal issues to prevent analogous vulnerabilities.
Affected Countries
United States, Germany, United Kingdom, France, Japan, Canada, Australia, India, Brazil, South Korea
CVE-2026-30853: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in kovidgoyal calibre
Description
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to 9.5.0, a path traversal vulnerability in the RocketBook (.rb) input plugin (src/calibre/ebooks/rb/reader.py) allows an attacker to write arbitrary files to any path writable by the calibre process when a user opens or converts a crafted .rb file. This is the same bug class fixed in CVE-2026-26065 for the PDB readers, but the fix was never applied to the RB reader. This vulnerability is fixed in 9.5.0.
AI-Powered Analysis
Technical Analysis
Calibre is a widely used cross-platform e-book management software that supports viewing, converting, editing, and cataloging e-books. In versions prior to 9.5.0, the RocketBook (.rb) input plugin contains a path traversal vulnerability (CWE-22) in the file reader.py. This vulnerability allows an attacker to craft a malicious .rb file that, when opened or converted by the user, causes calibre to write arbitrary files to any path writable by the calibre process. The root cause is improper validation and limitation of file pathnames, enabling directory traversal outside intended directories. This bug is analogous to CVE-2026-26065, which affected the PDB reader plugin but was fixed there; however, the fix was not applied to the RB reader, leaving it vulnerable. Exploitation requires user interaction and local access to the application, as the attacker must trick the user into opening or converting the malicious file. The vulnerability impacts integrity and availability by allowing unauthorized file writes, potentially leading to code execution or denial of service. The issue is resolved in calibre 9.5.0. No known public exploits have been reported to date.
Potential Impact
The vulnerability allows attackers to write arbitrary files to any location writable by the calibre process, which can lead to unauthorized modification or replacement of files, potentially enabling code execution or disruption of normal operations. For organizations relying on calibre for e-book management, this could compromise system integrity or availability, especially if calibre runs with elevated privileges or on shared systems. The requirement for user interaction and local access limits remote exploitation but does not eliminate risk, particularly in environments where users might open untrusted e-books. Attackers could leverage this to implant malicious payloads or disrupt workflows. The medium CVSS score reflects moderate risk, but the impact could be severe if exploited in sensitive environments.
Mitigation Recommendations
Organizations and users should upgrade calibre to version 9.5.0 or later, where this vulnerability is fixed. Until upgrading, users should avoid opening or converting untrusted or suspicious .rb files. Running calibre with the least privileges necessary can limit the impact of exploitation by restricting writable paths. Implementing application whitelisting and endpoint protection can help detect and prevent unauthorized file modifications. Additionally, educating users about the risks of opening untrusted e-book files can reduce the likelihood of exploitation. Monitoring file system changes in directories accessible by calibre may help detect suspicious activity. Developers should review other input plugins for similar path traversal issues to prevent analogous vulnerabilities.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-05T21:27:35.341Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69b4622a2f860ef9438be2c9
Added to database: 3/13/2026, 7:14:50 PM
Last enriched: 3/13/2026, 7:29:04 PM
Last updated: 3/13/2026, 11:47:16 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.