Unrated severityNVD Advisory· Published Feb 6, 2026· Updated Feb 11, 2026
calibre has a Path Traversal Leading to Arbitrary File Write and Potential Code Execution
CVE-2026-25635
Description
calibre is an e-book manager. Prior to 9.2.0, Calibre's CHM reader contains a path traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows (haven't tested on other OS's), this can lead to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. This vulnerability is fixed in 9.2.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3<9.2.0+ 1 more
- (no CPE)range: <9.2.0
- (no CPE)range: < 9.2.0
Patches
Vulnerability mechanics
References
2- github.com/kovidgoyal/calibre/commit/9739232fcb029ac15dfe52ccd4fdb4a07ebb6ce9mitrex_refsource_MISC
- github.com/kovidgoyal/calibre/security/advisories/GHSA-32vh-whvh-9fxrmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.