Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-33205

created 3 weeks, 1 day ago

calibre has Server-Side Request Forgery in ebook viewer backend

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.

References

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v x_refsource_CONFIRM

Affected products

calibre

==< 9.6.0

Matching in nixpkgs

pkgs.calibre

Comprehensive e-book software

nixos-unstable 9.5.0
- nixpkgs-unstable 9.5.0
- nixos-unstable-small 9.5.0
nixos-25.11 8.14.0
- nixos-25.11-small 8.14.0
- nixpkgs-25.11-darwin 8.14.0

pkgs.calibre-web

Web app for browsing, reading and downloading eBooks stored in a Calibre database

nixos-unstable 0.6.26-unstable-2026-03-01
- nixpkgs-unstable 0.6.26-unstable-2026-03-01
- nixos-unstable-small 0.6.26-unstable-2026-03-01
nixos-25.11 0.6.25
- nixos-25.11-small 0.6.25
- nixpkgs-25.11-darwin 0.6.25

pkgs.pkgsRocm.calibre

Comprehensive e-book software

nixos-unstable 9.5.0
- nixpkgs-unstable 9.5.0
- nixos-unstable-small 9.5.0
nixos-25.11 8.14.0
- nixos-25.11-small 8.14.0
- nixpkgs-25.11-darwin 8.14.0

pkgs.calibre-no-speech

Comprehensive e-book software

nixos-unstable 9.5.0
- nixpkgs-unstable 9.5.0
- nixos-unstable-small 9.5.0

pkgs.pkgsRocm.calibre-no-speech

Comprehensive e-book software

nixos-unstable 9.5.0
- nixpkgs-unstable 9.5.0
- nixos-unstable-small 9.5.0

Package maintainers

@pSub Pascal Wittmann <mail@pascal-wittmann.de>
@pborzenkov Pavel Borzenkov <pavel@borzenkov.net>
@sempiternal-aurora Myria Sarvay