CVE-2025-55165
Description
Autocaliweb is a web app that offers an interface for browsing, reading, and downloading eBooks using a valid Calibre database. Prior to version 0.8.3, the debug pack generated by Autocaliweb can expose sensitive configuration data, including API keys. This occurs because the to_dict() method, used to serialize configuration for the debug pack, doesn't adequately filter out sensitive fields such as API tokens. Users, unaware of the full contents, might share these debug packs, inadvertently leaking their private API keys. This issue has been patched in version 0.8.3.
Affected products
1- Range: v0.1.0, v0.1.1, v0.1.2, …
Patches
23cfe64d9ffdfv0.8.3
1 file changed · +1 −1
cps/constants.py+1 −1 modified@@ -172,7 +172,7 @@ def selected_roles(dictionary): 'series_id, languages, publisher, pubdate, identifiers') # python build process likes to have x.y.zbw -> b for beta and w a counting number -STABLE_VERSION = 'v0.8.2' +STABLE_VERSION = 'v0.8.3' USER_AGENT = f"Autocaliweb/{STABLE_VERSION}"
f455051f7c75Merge commit from fork
1 file changed · +1 −1
cps/config_sql.py+1 −1 modified@@ -339,7 +339,7 @@ def set_from_dictionary(self, dictionary, field, convertor=None, default=None, e def to_dict(self): storage = {} for k, v in self.__dict__.items(): - if k[0] != '_' and not k.endswith("_e") and not k == "cli": + if k[0] != '_' and not k.endswith("_e") and k != "cli" and 'api' not in k.lower(): storage[k] = v return storage
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.