calibre has Server-Side Request Forgery in ebook viewer backend

4.8 / 10

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Description

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.

Basic Information

ID CVE-2026-33205

Source GitHub_M

Published Mar 27, 2026 at 13:52

Modified Mar 27, 2026 at 19:58

Affected Product

Vendor kovidgoyal

Product calibre

Version < 9.6.0

Affected Versions kovidgoyal calibre < 9.6.0

CWE Classification

CWE-918

References

github.com /kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v

{
    "lastseen": "",
    "description": "calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.",
    "published": "2026-03-27T13:52:06.860Z",
    "modified": "2026-03-27T19:58:43.747Z",
    "type": "cve",
    "title": "calibre has Server-Side Request Forgery in ebook viewer backend",
    "source": "GitHub_M",
    "references": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v",
    "id": "CVE-2026-33205",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "kovidgoyal calibre < 9.6.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.8,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "calibre",
    "version": "< 9.6.0",
    "vendor": "kovidgoyal",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

calibre has Server-Side Request Forgery in ebook viewer backend_CVE-2026-33205