SB20260629106 - Multiple vulnerabilities in Calibre

Description

This security bulletin contains information about 2 vulnerabilities.

1) Origin validation error (CVE-ID: CVE-2026-27824)

CWE-ID: CWE-346 - Origin Validation Error

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass brute-force protection and perform unlimited password guessing attempts.

The vulnerability exists due to improper origin validation in the Content Server brute-force protection mechanism when processing authentication requests with a user-supplied X-Forwarded-For header. A remote attacker can send authentication requests with changing X-Forwarded-For values to bypass brute-force protection and perform unlimited password guessing attempts.

The issue affects deployments with authentication and ban settings enabled, and can also enable username enumeration through response differences.

2) HTTP response splitting (CVE-ID: CVE-2026-27810)

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to inject arbitrary HTTP response headers.

The vulnerability exists due to improper neutralization of crlf sequences in http response headers in the calibre Content Server /get/ and /data-files/get/ endpoints when processing the content_disposition query parameter. A remote user can send a specially crafted request to inject arbitrary HTTP response headers.

User interaction is not required for direct exploitation, but the issue can also be triggered by tricking an authenticated victim into opening a crafted link in a browser session.

Remediation

Install update from vendor's website.

References

• https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vhxc-r7v8-2xrw
• https://github.com/kovidgoyal/calibre/security/advisories/GHSA-5fpj-fxw7-8grw