NIXPKGS-2026-2090
GitHub issue
published an hour ago
calibre: Arbitrary Code Execution in Template Formatter via Book Metadata
Permalink
CVE-2026-53511
8.5 HIGH
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): Low (L)
- Attack Requirement (AT): None (N)
- Privileges Required (PR): None (N)
- User Interaction (UI): Passive (P)
- Vulnerable System Impact Confidentiality (VC): High (H)
- Vulnerable System Impact Integrity (VI): High (H)
- Vulnerable System Impact Availability (VA): High (H)
- Subsequent System Impact Confidentiality (SC): None (N)
- Subsequent System Impact Integrity (SI): None (N)
- Subsequent System Impact Availability (SA): None (N)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): Low (L)
- Modified Attack Requirement (MAT): None (N)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Passive (P)
- Modified Vulnerable System Impact Confidentiality (MVC): High (H)
- Modified Vulnerable System Impact Integrity (MVI): High (H)
- Modified Vulnerable System Impact Availability (MVA): High (H)
- Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
- Modified Subsequent System Impact Integrity (MSI): Negligible (N)
- Modified Subsequent System Impact Availability (MSA): Negligible (N)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
- Exploit Maturity (E): Not Defined (X)
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
3 packages
- calibre-web
- calibre-no-speech
- pkgsRocm.calibre-no-speech
- @LeSuisse ignored reference https://g…
- @LeSuisse accepted
- @LeSuisse published on GitHub
calibre: Arbitrary Code Execution in Template Formatter via Book Metadata
calibre is an e-book manager. Prior to 9.10.0, a malicious EPUB, OPF, or PDF file can execute arbitrary Python code when its metadata is read by calibre, including through Add books or Edit books, by embedding a custom column definition with a python: template in calibre:user_metadata that is passed unsanitized to exec() in the template formatter. This issue is fixed in version 9.10.0.
References
-
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-2j4m-2q7x-2c47 x_refsource_CONFIRM
Ignored references (1)
-
https://github.com/kovidgoyal/calibre/releases/tag/v9.10.0 x_refsource_MISC
Affected products
calibre
- ==< 9.10.0
Matching in nixpkgs
pkgs.calibre
Comprehensive e-book software
Ignored packages (3)
pkgs.calibre-web
Web app for browsing, reading and downloading eBooks stored in a Calibre database
-
nixos-unstable 0.6.26-unstable-2026-03-01
- nixpkgs-unstable 0.6.26-unstable-2026-03-01
- nixos-unstable-small 0.6.26-unstable-2026-03-01
-
nixos-26.05 0.6.26-unstable-2026-03-01
- nixos-26.05-small 0.6.26-unstable-2026-03-01
- nixpkgs-26.05-darwin 0.6.26-unstable-2026-03-01
pkgs.calibre-no-speech
Comprehensive e-book software
Package maintainers
-
@pSub Pascal Wittmann <mail@pascal-wittmann.de>
-
@sempiternal-aurora Myria Sarvay <myrialsarvay@gmail.com>