NIXPKGS-2026-0504

GitHub issue published 3 months ago

Permalink CVE-2026-27824

5.3 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 3 months ago by @LeSuisse Activity log

Created suggestion 3 months, 1 week ago
@LeSuisse ignored package calibre-web 3 months ago
@LeSuisse accepted 3 months ago
@LeSuisse published on GitHub 3 months ago

calibre has IP Ban Bypass via X-Forwarded-For Header Spoofing

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban key derived from both `remote_addr` and the `X-Forwarded-For` header. Since the `X-Forwarded-For` header is read directly from the HTTP request without any validation or trusted-proxy configuration, an attacker can bypass IP-based bans by simply changing or adding this header, rendering the brute-force protection completely ineffective. This is particularly dangerous for calibre servers exposed to the internet, where brute-force protection is the primary defense against credential stuffing and password guessing attacks. Version 9.4.0 contains a fix for the issue.

References

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vhxc-r7v8-2xrw x_refsource_CONFIRM

Affected products

calibre

==< 9.4.0

Matching in nixpkgs

pkgs.calibre

Comprehensive e-book software

nixos-unstable 8.16.2
- nixpkgs-unstable 8.16.2
- nixos-unstable-small 8.16.2

pkgs.pkgsRocm.calibre

Comprehensive e-book software

nixos-unstable 8.16.2
- nixpkgs-unstable 8.16.2
- nixos-unstable-small 8.16.2

pkgs.calibre-no-speech

Comprehensive e-book software

nixos-unstable 8.16.2
- nixpkgs-unstable 8.16.2
- nixos-unstable-small 8.16.2

pkgs.pkgsRocm.calibre-no-speech

Comprehensive e-book software

nixos-unstable 8.16.2
- nixpkgs-unstable 8.16.2
- nixos-unstable-small 8.16.2

Ignored packages (1)

pkgs.calibre-web

Web app for browsing, reading and downloading eBooks stored in a Calibre database

nixos-unstable 0.6.25
- nixpkgs-unstable 0.6.25
- nixos-unstable-small 0.6.25

Package maintainers

@pSub Pascal Wittmann <mail@pascal-wittmann.de>

Upstream advisory: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vhxc-r7v8-2xrw

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0504

References

Affected products

Matching in nixpkgs

pkgs.calibre

pkgs.pkgsRocm.calibre

pkgs.calibre-no-speech

pkgs.pkgsRocm.calibre-no-speech

pkgs.calibre-web

Package maintainers