Cross-site Scripting (XSS) in janeczku/calibre-web
Description
A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file edit_books.js. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization, allowing attackers to execute arbitrary JavaScript code. This can lead to various attacks, including stealing cookies. The issue is present in the code handling the #btn-upload-cover change event.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CalibreWeb is vulnerable to stored XSS in edit_books.js when uploading book covers or formats, allowing arbitrary JavaScript execution through unsanitized user input.
Vulnerability
Overview
The vulnerability resides in edit_books.js, specifically in the event handlers for uploading book covers (#btn-upload-cover) and book formats. The code uses .html() to set the filename into the DOM, which interprets user-controlled input (the filename) as HTML markup rather than plain text. This lack of sanitization allows an attacker to inject arbitrary JavaScript by crafting a malicious filename containing script tags or HTML event handlers [1][3].
Exploitation
Path
An attacker with permission to edit book properties can upload a file (cover or format) whose filename contains a persistent XSS payload, such as .txt. When the page renders the uploaded filename using .html(), the payload executes in the browser context of any user viewing the edited book details. No additional authentication is needed beyond the ability to edit books; a malicious librarian or anyone with editorial privileges can trigger the attack [1][4].
Impact
Successful exploitation enables arbitrary JavaScript execution in victims' browsers. The attacker can steal session cookies, redirect users to phishing pages, or perform actions on behalf of the victim, effectively compromising the confidentiality and integrity of the Calibre-Web instance and its users [1][4].
Remediation
The vulnerability was fixed in commit 7ad419dc8c12180e842a82118f4866ac3d074bc5 by replacing .html() with .text(), which escapes HTML entities and treats the filename as safe plain text. Users should update to any version after this commit to mitigate the risk [3]. No workaround is available; patching is the recommended action.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
calibrewebPyPI | < 0.6.15 | 0.6.15 |
Affected products
2- janeczku/janeczku/calibre-webv5Range: unspecified
Patches
17ad419dc8c12Fix upload of cover and book formats containing html characters
1 file changed · +2 −2
cps/static/js/edit_books.js+2 −2 modified@@ -248,15 +248,15 @@ $("#btn-upload-format").on("change", function () { if (filename.substring(3, 11) === "fakepath") { filename = filename.substring(12); } // Remove c:\fake at beginning from localhost chrome - $("#upload-format").html(filename); + $("#upload-format").text(filename); }); $("#btn-upload-cover").on("change", function () { var filename = $(this).val(); if (filename.substring(3, 11) === "fakepath") { filename = filename.substring(12); } // Remove c:\fake at beginning from localhost chrome - $("#upload-cover").html(filename); + $("#upload-cover").text(filename); }); $("#xchange").click(function () {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.