Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-25731
7.8 HIGH
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
Calibre Affected by Arbitrary Code Execution via Server-Side Template Injection in Calibre HTML Export
calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the --template-html or --template-html-index command-line options. This vulnerability is fixed in 9.2.0.
References
Affected products
calibre
- ==< 9.2.0
Matching in nixpkgs
pkgs.calibre
Comprehensive e-book software
pkgs.calibre-web
Web app for browsing, reading and downloading eBooks stored in a Calibre database
pkgs.pkgsRocm.calibre
Comprehensive e-book software
pkgs.calibre-no-speech
Comprehensive e-book software
pkgs.pkgsRocm.calibre-no-speech
Comprehensive e-book software
Package maintainers
-
@pSub Pascal Wittmann <mail@pascal-wittmann.de>
-
@pborzenkov Pavel Borzenkov <pavel@borzenkov.net>