Unrated severityNVD Advisory· Published Mar 27, 2026· Updated Mar 27, 2026

calibre has Server-Side Request Forgery in ebook viewer backend

CVE-2026-33205

Description

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.

Affected products

Kovidgoyal/Calibrellm-fuzzy
Range: <9.6.0
kovidgoyal/calibrev5
Range: < 9.6.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7vmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000