CVE-2026-27824

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-27824

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27824.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-27824

Aliases

GHSA-vhxc-r7v8-2xrw

Downstream

DEBIAN-CVE-2026-27824

UBUNTU-CVE-2026-27824

Published

2026-02-27T19:46:07.612Z

Modified

2026-03-03T02:35:48.560171Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

calibre has IP Ban Bypass via X-Forwarded-For Header Spoofing

Details

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban key derived from both remote_addr and the X-Forwarded-For header. Since the X-Forwarded-For header is read directly from the HTTP request without any validation or trusted-proxy configuration, an attacker can bypass IP-based bans by simply changing or adding this header, rendering the brute-force protection completely ineffective. This is particularly dangerous for calibre servers exposed to the internet, where brute-force protection is the primary defense against credential stuffing and password guessing attacks. Version 9.4.0 contains a fix for the issue.

Database specific

{
    "cwe_ids": [
        "CWE-307",
        "CWE-346"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27824.json"
}

References

Affected packages

Git / github.com/kovidgoyal/calibre

Affected ranges

Type

GIT

Repo

https://github.com/kovidgoyal/calibre

Events

Introduced

Fixed

0fe2747ab1959e715a239a7fe81eaa85692eb004

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "9.4.0"
        }
    ]
}

Affected versions

0.*

0.9.33

0.9.34

0.9.35

0.9.36

0.9.37

v0.*

v0.9.38

v0.9.39

v0.9.40

v0.9.41

v0.9.42

v0.9.43

v0.9.44

v1.*

v1.0.0

v1.1.0

v1.10.0

v1.11.0

v1.12.0

v1.13.0

v1.14.0

v1.15.0

v1.16.0

v1.17.0

v1.18.0

v1.19.0

v1.2.0

v1.20.0

v1.21.0

v1.22.0

v1.23.0

v1.24.0

v1.25.0

v1.26.0

v1.27.0

v1.28.0

v1.29.0

v1.3.0

v1.30.0

v1.31.0

v1.32.0

v1.33.0

v1.34.0

v1.35.0

v1.36.0

v1.37.0

v1.38.0

v1.39.0

v1.4.0

v1.40.0

v1.41.0

v1.42.0

v1.43.0

v1.44.0

v1.45.0

v1.46.0

v1.47.0

v1.48.0

v1.5.0

v1.6.0

v1.7.0

v1.8.0

v1.9.0

v2.*

v2.0.0

v2.1.0

v2.10.0

v2.11.0

v2.12.0

v2.13.0

v2.14.0

v2.15.0

v2.16.0

v2.17.0

v2.18.0

v2.19.0

v2.2.0

v2.20.0

v2.21.0

v2.22.0

v2.23.0

v2.24.0

v2.25.0

v2.26.0

v2.27.0

v2.28.0

v2.29.0

v2.3.0

v2.30.0

v2.31.0

v2.32.0

v2.32.1

v2.33.0

v2.34.0

v2.35.0

v2.36.0

v2.37.0

v2.37.1

v2.38.0

v2.39.0

v2.4.0

v2.40.0

v2.41.0

v2.42.0

v2.43.0

v2.44.0

v2.44.1

v2.45.0

v2.46.0

v2.47.0

v2.48.0

v2.49.0

v2.5.0

v2.50.0

v2.50.1

v2.51.0

v2.52.0

v2.53.0

v2.54.0

v2.55.0

v2.56.0

v2.57.0

v2.57.1

v2.58.0

v2.59.0

v2.6.0

v2.60.0

v2.61.0

v2.62.0

v2.63.0

v2.64.0

v2.65.0

v2.65.1

v2.66.0

v2.67.0

v2.68.0

v2.69.0

v2.7.0

v2.70.0

v2.71.0

v2.72.0

v2.73.0

v2.74.0

v2.75.0

v2.75.1

v2.76.0

v2.77.0

v2.78.0

v2.79.0

v2.79.1

v2.8.0

v2.80.0

v2.81.0

v2.82.0

v2.83.0

v2.84.0

v2.85.0

v2.85.1

v2.9.0

v3.*

v3.0.0

v3.1.0

v3.1.1

v3.10.0

v3.11.0

v3.11.1

v3.12.0

v3.13.0

v3.14.0

v3.15.0

v3.16.0

v3.17.0

v3.18.0

v3.19.0

v3.2.0

v3.2.1

v3.20.0

v3.21.0

v3.22.0

v3.22.1

v3.23.0

v3.24.0

v3.24.1

v3.24.2

v3.25.0

v3.26.0

v3.26.1

v3.27.0

v3.27.1

v3.28.0

v3.29.0

v3.3.0

v3.30.0

v3.31.0

v3.32.0

v3.33.0

v3.33.1

v3.34.0

v3.35.0

v3.36.0

v3.37.0

v3.38.0

v3.38.1

v3.39.0

v3.39.1

v3.4.0

v3.40.0

v3.40.1

v3.41.0

v3.41.1

v3.41.2

v3.41.3

v3.42.0

v3.43.0

v3.44.0

v3.45.0

v3.45.1

v3.45.2

v3.46.0

v3.47.0

v3.48.0

v3.5.0

v3.6.0

v3.7.0

v3.8.0

v3.9.0

v4.*

v4.0.0

v4.1.0

v4.10.0

v4.10.1

v4.11.0

v4.11.1

v4.11.2

v4.12.0

v4.13.0

v4.14.0

v4.15.0

v4.16.0

v4.17.0

v4.18.0

v4.19.0

v4.2.0

v4.20.0

v4.21.0

v4.22.0

v4.23.0

v4.3.0

v4.4.0

v4.5.0

v4.6.0

v4.7.0

v4.8.0

v4.9.0

v4.9.1

v4.99.17

v5.*

v5.0.0

v5.0.1

v5.1.0

v5.10.0

v5.10.1

v5.11.0

v5.12.0

v5.13.0

v5.14.0

v5.15.0

v5.16.0

v5.16.1

v5.17.0

v5.18.0

v5.19.0

v5.2.0

v5.20.0

v5.21.0

v5.22.0

v5.22.1

v5.23.0

v5.24.0

v5.25.0

v5.26.0

v5.27.0

v5.28.0

v5.29.0

v5.3.0

v5.30.0

v5.31.0

v5.31.1

v5.32.0

v5.33.0

v5.33.1

v5.33.2

v5.34.0

v5.35.0

v5.36.0

v5.37.0

v5.38.0

v5.39.0

v5.39.1

v5.4.0

v5.4.1

v5.4.2

v5.40.0

v5.41.0

v5.42.0

v5.43.0

v5.44.0

v5.5.0

v5.6.0

v5.7.0

v5.7.1

v5.7.2

v5.8.0

v5.8.1

v5.9.0

v6.*

v6.0.0

v6.1.0

v6.10.0

v6.11.0

v6.12.0

v6.13.0

v6.14.0

v6.14.1

v6.15.0

v6.15.1

v6.16.0

v6.17.0

v6.18.0

v6.18.1

v6.19.0

v6.19.1

v6.2.0

v6.2.1

v6.20.0

v6.21.0

v6.22.0

v6.23.0

v6.24.0

v6.25.0

v6.26.0

v6.27.0

v6.28.0

v6.28.1

v6.29.0

v6.3.0

v6.4.0

v6.5.0

v6.6.0

v6.6.1

v6.7.0

v6.7.1

v6.8.0

v6.9.0

v7.*

v7.0.0

v7.1.0

v7.10.0

v7.11.0

v7.12.0

v7.13.0

v7.14.0

v7.15.0

v7.16.0

v7.17.0

v7.18.0

v7.19.0

v7.2.0

v7.20.0

v7.21.0

v7.22.0

v7.23.0

v7.24.0

v7.25.0

v7.26.0

v7.3.0

v7.4.0

v7.5.0

v7.5.1

v7.6.0

v7.7.0

v7.8.0

v7.9.0

v8.*

v8.0.0

v8.0.1

v8.1.0

v8.1.1

v8.10.0

v8.11.0

v8.11.1

v8.12.0

v8.13.0

v8.14.0

v8.15.0

v8.16.0

v8.16.1

v8.16.2

v8.2.0

v8.2.1

v8.2.100

v8.3.0

v8.4.0

v8.5.0

v8.6.0

v8.7.0

v8.8.0

v8.9.0

v9.*

v9.0.0

v9.1.0

v9.2.0

v9.2.1

v9.3.0

v9.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27824.json"