Main Vulnerability Database Vulnerabilities #VU135814

Server-Side Request Forgery (SSRF) in Calibre - CVE-2026-33205

Published: June 29, 2026

Vulnerability identifier: #VU135814

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33205

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Calibre

Affected software:
Calibre

Detailed vulnerability description

The vulnerability allows a remote attacker to perform blind GET requests to arbitrary URLs and disclose sensitive information.

The vulnerability exists due to server-side request forgery in the background-image endpoint when processing a user-supplied URL from sandboxed e-book content. A remote attacker can supply a crafted URL to perform blind GET requests to arbitrary URLs and disclose sensitive information.

Exploitation can be used to reach services on the local network, and the issue can be chained with a separate path traversal issue to exfiltrate file contents from the e-book sandbox without user awareness.

How to mitigate CVE-2026-33205

Install security update from vendor's website.

Sources

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v

Server-Side Request Forgery (SSRF) in Calibre - CVE-2026-33205

Detailed vulnerability description

How to mitigate CVE-2026-33205

Sources

Please verify you're human