CVE-2026-33205 is a Server-Side Request Forgery (SSRF) vulnerability identified in the calibre e-book management software developed by kovidgoyal. Calibre is a widely used cross-platform application for viewing, converting, editing, and cataloging e-books. The vulnerability exists in the background-image endpoint of the calibre e-book reader's web view component prior to version 9.6.0. An attacker can exploit this flaw by inducing the application to perform blind HTTP GET requests to arbitrary URLs, effectively allowing the attacker to interact with internal or external network resources from the context of the calibre application. This SSRF can be leveraged to exfiltrate information from the ebook sandbox environment, potentially bypassing network restrictions or accessing internal services that are otherwise inaccessible externally. The vulnerability does not require authentication but does require user interaction, such as opening a malicious e-book or triggering the vulnerable functionality. The CVSS 4.8 score reflects a medium severity, considering the local attack vector, low complexity, no privileges required, and user interaction needed. The vulnerability was publicly disclosed and patched in calibre version 9.6.0. No known exploits have been reported in the wild, but the risk remains for users running outdated versions. The vulnerability falls under CWE-918, which pertains to SSRF issues that allow attackers to abuse server functionality to access or manipulate internal resources.

The impact of CVE-2026-33205 is primarily on confidentiality and potentially limited integrity within the context of the calibre application environment. Successful exploitation allows attackers to perform blind SSRF attacks, which can be used to probe internal networks, access internal services, or exfiltrate data from the ebook sandbox. While the vulnerability does not directly allow remote code execution or system compromise, it can be a stepping stone for further attacks, especially in environments where calibre is used on sensitive networks or where internal services are exposed only to local applications. The requirement for user interaction limits large-scale automated exploitation but targeted attacks remain feasible. Organizations using calibre in corporate or sensitive environments risk information leakage or internal network reconnaissance. The medium severity rating reflects these factors, indicating moderate risk that should be addressed promptly to prevent potential escalation or lateral movement.

To mitigate CVE-2026-33205, organizations and users should upgrade calibre to version 9.6.0 or later, where the vulnerability is patched. Until upgrading is possible, users should avoid opening untrusted or suspicious e-books that could trigger the SSRF. Network-level mitigations include restricting outbound HTTP requests from the host running calibre to only trusted destinations, using firewall rules or proxy controls to limit arbitrary URL access. Additionally, sandboxing calibre execution environments or running it with least privilege can reduce the impact of exploitation. Monitoring network traffic for unusual outbound requests originating from calibre may help detect exploitation attempts. Developers and administrators should review and harden any web view components or background image handling features in similar applications to prevent SSRF vulnerabilities. Regularly applying security updates and educating users about the risks of opening untrusted content are essential complementary measures.