NIXPKGS-2026-0824
GitHub issue
published on 28 Mar 2026
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
3 packages
- calibre-web
- pkgsRocm.calibre-no-speech
- calibre-no-speech
- @LeSuisse accepted
- @LeSuisse published on GitHub
calibre has Server-Side Request Forgery in ebook viewer backend
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.
References
- https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v x_refsource_CONFIRM
Affected products
calibre
- ==< 9.6.0
Matching in nixpkgs
pkgs.calibre
Comprehensive e-book software
Ignored packages (3)
pkgs.calibre-web
Web app for browsing, reading and downloading eBooks stored in a Calibre database
-
nixos-unstable 0.6.26-unstable-2026-03-01
- nixpkgs-unstable 0.6.26-unstable-2026-03-01
- nixos-unstable-small 0.6.26-unstable-2026-03-01
pkgs.calibre-no-speech
Comprehensive e-book software
pkgs.pkgsRocm.calibre-no-speech
Comprehensive e-book software
Package maintainers
-
@pSub Pascal Wittmann <mail@pascal-wittmann.de>
-
@sempiternal-aurora Myria Sarvay