NIXPKGS-2026-0485

GitHub issue published 3 months, 1 week ago

Permalink CVE-2026-27810

6.4 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Changed (C)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

updated 3 months, 1 week ago by @LeSuisse Activity log

Created suggestion 3 months, 1 week ago
@LeSuisse ignored package calibre-web 3 months, 1 week ago
@LeSuisse accepted 3 months, 1 week ago
@LeSuisse published on GitHub 3 months, 1 week ago

calibre Vulnerable to HTTP Response Header Injection

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Server allows any authenticated user to inject arbitrary HTTP headers into server responses via an unsanitized `content_disposition` query parameter in the `/get/` and `/data-files/get/` endpoints. All users running the calibre Content Server with authentication enabled are affected. The vulnerability is exploitable by any authenticated user and can also be triggered by tricking an authenticated victim into clicking a crafted link. Version 9.4.0 contains a fix for the issue.

References

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-5fpj-fxw7-8grw x_refsource_CONFIRM

Affected products

calibre

==< 9.4.0

Matching in nixpkgs

pkgs.calibre

Comprehensive e-book software

nixos-unstable 8.16.2
- nixpkgs-unstable 8.16.2
- nixos-unstable-small 8.16.2

pkgs.pkgsRocm.calibre

Comprehensive e-book software

nixos-unstable 8.16.2
- nixpkgs-unstable 8.16.2
- nixos-unstable-small 8.16.2

pkgs.calibre-no-speech

Comprehensive e-book software

nixos-unstable 8.16.2
- nixpkgs-unstable 8.16.2
- nixos-unstable-small 8.16.2

pkgs.pkgsRocm.calibre-no-speech

Comprehensive e-book software

nixos-unstable 8.16.2
- nixpkgs-unstable 8.16.2
- nixos-unstable-small 8.16.2

Ignored packages (1)

pkgs.calibre-web

Web app for browsing, reading and downloading eBooks stored in a Calibre database

nixos-unstable 0.6.25
- nixpkgs-unstable 0.6.25
- nixos-unstable-small 0.6.25

Package maintainers

@pSub Pascal Wittmann <mail@pascal-wittmann.de>

Upstream advisory: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-5fpj-fxw7-8grw

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0485

References

Affected products

Matching in nixpkgs

pkgs.calibre

pkgs.pkgsRocm.calibre

pkgs.calibre-no-speech

pkgs.pkgsRocm.calibre-no-speech

pkgs.calibre-web

Package maintainers