cvedb.io
CVE-2026-33206
MEDIUM · CVSS 6.3
EPSS exploitation probability: 0%
Published 2026-03-27T15:16:54.453 · Last modified 2026-06-17T10:37:07.327

Summary

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre' handling of images in Markdown and other similar text-based files allowing an attacker to include arbitrary files from the file system into the converted book. Additionally, missing authentication and server-side request forgery in the background-image endpoint in the ebook reader web view allow the files to be exfiltrated without additional interaction. Version 9.6.0 contains a fix.

Affected products

calibre-ebook — calibre

Does this affect you?

Add your gear to cvedb and we'll alert you only when calibre-ebook ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.