CVE-2026-25731

Summary

calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre's Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the –template-html or –template-html-index command-line options. This vulnerability is fixed in 9.2.0.

Affected Software

VendorProductVersion RangeStatus
kovidgoyalcalibre< 9.2.0affected

Weaknesses

  • CWE-1336: CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References