CVE-2018-7889

NONE EPSS 90.6%
Published Mar 8, 20188y ago · Modified Jun 17, 20262w ago
Find Similar
Published Mar 8, 2018 8y ago
Last Modified Jun 17, 2026 2w ago

Description

gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported bookmark data, which allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.

Threat Intelligence

EPSS Exploit Probability
90.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-502 Deserialization of Untrusted Data Validation

Affected Products 1

VendorProductVersionRange
calibre-ebookcalibre3.18.0any

References 2

  • bugs.launchpad.net https://bugs.launchpad.net/calibre/+bug/1753870
    ExploitThird Party Advisory
  • github.com https://github.com/kovidgoyal/calibre/commit/aeb5b036a0bf657951756688b3c72bd68b6e4a7d
    Patch

Remediation

  • github.com https://github.com/kovidgoyal/calibre/commit/aeb5b036a0bf657951756688b3c72bd68b6e4a7d
    Patch