CVE-2026-25731

calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/kovidgoyal/calibre/commit/f0649b27512e987b95fcab2e1e0a3bcdafc23379	Patch
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-xrh9-w7qx-3gcc	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:calibre-ebook:calibre:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-06 21:16

Updated : 2026-02-17 21:18

NVD link : CVE-2026-25731

Mitre link : CVE-2026-25731

CVE.ORG link : CVE-2026-25731

JSON object : View

Products Affected

calibre-ebook

calibre

CWE

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

{"id": "CVE-2026-25731", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-02-06T21:16:19.457", "references": [{"url": "https://github.com/kovidgoyal/calibre/commit/f0649b27512e987b95fcab2e1e0a3bcdafc23379", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-xrh9-w7qx-3gcc", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1336"}]}], "descriptions": [{"lang": "en", "value": "calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0."}, {"lang": "es", "value": "calibre es un gestor de libros electr\u00f3nicos. Antes de la versi\u00f3n 9.2.0, una vulnerabilidad de inyecci\u00f3n de plantillas del lado del servidor (SSTI) en el motor de plantillas Templite de Calibre permite la ejecuci\u00f3n de c\u00f3digo arbitrario cuando un usuario convierte un libro electr\u00f3nico utilizando un archivo de plantilla personalizado malicioso a trav\u00e9s de las opciones de l\u00ednea de comandos --template-html o --template-html-index. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 9.2.0."}], "lastModified": "2026-02-17T21:18:56.893", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:calibre-ebook:calibre:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "264BDA56-70BE-4FCE-96AD-7F9D1BA0FB54", "versionEndExcluding": "9.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}