NIXPKGS-2026-0156
GitHub issue
published on 7 Feb 2026
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
4 packages
- calibre-web
- pkgsRocm.calibre
- calibre-no-speech
- pkgsRocm.calibre-no-speech
- @LeSuisse accepted
- @LeSuisse published on GitHub
calibre has a Path Traversal Leading to Arbitrary File Write and Potential Code Execution
calibre is an e-book manager. Prior to 9.2.0, Calibre's CHM reader contains a path traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows (haven't tested on other OS's), this can lead to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. This vulnerability is fixed in 9.2.0.
Affected products
calibre
- ==< 9.2.0
Matching in nixpkgs
Ignored packages (4)
pkgs.calibre-web
Web app for browsing, reading and downloading eBooks stored in a Calibre database
pkgs.pkgsRocm.calibre
Comprehensive e-book software
pkgs.calibre-no-speech
Comprehensive e-book software
pkgs.pkgsRocm.calibre-no-speech
Comprehensive e-book software
Package maintainers
-
@pSub Pascal Wittmann <mail@pascal-wittmann.de>
-
@pborzenkov Pavel Borzenkov <pavel@borzenkov.net>