CVE-2026-30853

HIGH EPSS 7.7%

Published Mar 13, 20263mo ago · Modified Mar 18, 20263mo ago

8.2 CVSS 3.1

High

Published Mar 13, 2026 3mo ago

Last Modified Mar 18, 2026 3mo ago

Description

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to 9.5.0, a path traversal vulnerability in the RocketBook (.rb) input plugin (src/calibre/ebooks/rb/reader.py) allows an attacker to write arbitrary files to any path writable by the calibre process when a user opens or converts a crafted .rb file. This is the same bug class fixed in CVE-2026-26065 for the PDB readers, but the fix was never applied to the RB reader. This vulnerability is fixed in 9.5.0.

CVSS Details

Base Score

8.2

Exploitability

1.8

Impact

5.8

Vector string

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H

Attack Vector Local

Attack Complexity Low

Privileges Required None

User Interaction Required

Scope Changed

Confidentiality None

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

7.7% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 1

Vendor	Product	Version	Range
calibre-ebook	calibre	*	<9.5.0

References 1

github.com https://github.com/kovidgoyal/calibre/security/advisories/GHSA-7mp7-rfrg-542x

ExploitVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.