by @LeSuisse Activity log
- Created automatic suggestion
- @LeSuisse removed package calibre-web
- @LeSuisse accepted
- @LeSuisse published on GitHub
calibre has a path traversal vulnerability
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre' handling of images in Markdown and other similar text-based files allowing an attacker to include arbitrary files from the file system into the converted book. Additionally, missing authentication and server-side request forgery in the background-image endpoint in the ebook reader web view allow the files to be exfiltrated without additional interaction. Version 9.6.0 contains a fix.
References
Affected products
- ==< 9.6.0
Matching in nixpkgs
pkgs.calibre
Comprehensive e-book software
pkgs.pkgsRocm.calibre
Comprehensive e-book software
pkgs.calibre-no-speech
Comprehensive e-book software
pkgs.pkgsRocm.calibre-no-speech
Comprehensive e-book software
Ignored packages (1)
pkgs.calibre-web
Web app for browsing, reading and downloading eBooks stored in a Calibre database
-
nixos-unstable 0.6.26-unstable-2026-03-01
- nixpkgs-unstable 0.6.26-unstable-2026-03-01
- nixos-unstable-small 0.6.26-unstable-2026-03-01
Package maintainers
-
@pSub Pascal Wittmann <mail@pascal-wittmann.de>
-
@sempiternal-aurora Myria Sarvay