NIXPKGS-2026-0155

GitHub issue published on 7 Feb 2026

Permalink CVE-2026-25731

7.8 HIGH

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 1 month, 3 weeks ago by @LeSuisse Activity log

Created automatic suggestion 1 month, 3 weeks ago
@LeSuisse removed
4 packages
- calibre-web
- pkgsRocm.calibre
- calibre-no-speech
- pkgsRocm.calibre-no-speech
1 month, 3 weeks ago
@LeSuisse accepted 1 month, 3 weeks ago
@LeSuisse published on GitHub 1 month, 3 weeks ago

Calibre Affected by Arbitrary Code Execution via Server-Side Template Injection in Calibre HTML Export

calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0.

References

https://github.com/kovidgoyal/calibre/commit/f0649b27512e987b95fcab2e1e0a3bcdafc23379 x_refsource_MISC
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-xrh9-w7qx-3gcc x_refsource_CONFIRM

Affected products

calibre

==< 9.2.0

Matching in nixpkgs

pkgs.calibre

Comprehensive e-book software

nixos-unstable 8.15.0
- nixpkgs-unstable 8.15.0
- nixos-unstable-small 8.15.0
nixos-25.11 8.14.0
- nixos-25.11-small 8.14.0
- nixpkgs-25.11-darwin 8.14.0

Package maintainers

@pSub Pascal Wittmann <mail@pascal-wittmann.de>

Upstream advisory: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-xrh9-w7qx-3gcc
Upstream patch: https://github.com/kovidgoyal/calibre/commit/f0649b27512e987b95fcab2e1e0a3bcdafc23379

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0155

References

Affected products

Matching in nixpkgs

pkgs.calibre

Package maintainers