SB20260629108 - Multiple vulnerabilities in Calibre

Description

This security bulletin contains information about 2 vulnerabilities.

1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33205)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to perform blind GET requests to arbitrary URLs and disclose sensitive information.

The vulnerability exists due to server-side request forgery in the background-image endpoint when processing a user-supplied URL from sandboxed e-book content. A remote attacker can supply a crafted URL to perform blind GET requests to arbitrary URLs and disclose sensitive information.

Exploitation can be used to reach services on the local network, and the issue can be chained with a separate path traversal issue to exfiltrate file contents from the e-book sandbox without user awareness.

2) Relative Path Traversal (CVE-ID: CVE-2026-33206)

CWE-ID: CWE-23 - Relative Path Traversal

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to path traversal in the image handling logic of txt_input.py when converting markdown or other text-based files. A remote attacker can supply a specially crafted file containing traversal sequences in image references to disclose sensitive information.

User interaction is required to open or convert a crafted text-based file, and the issue can cause arbitrary readable local files to be included in the generated ebook.

Remediation

Install update from vendor's website.

References

• https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v
• https://github.com/kovidgoyal/calibre/security/advisories/GHSA-h3p4-m74f-43g6