CVE-2026-33206

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre' handling of images in Markdown and other similar text-based files allowing an attacker to include arbitrary files from the file system into the converted book. Additionally, missing authentication and server-side request forgery in the background-image endpoint in the ebook reader web view allow the files to be exfiltrated without additional interaction. Version 9.6.0 contains a fix.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33206.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-23"
    ]
}

References

Affected packages

Git / github.com/kovidgoyal/calibre

Affected ranges

Type

GIT

Repo

https://github.com/kovidgoyal/calibre

Events

Introduced

Fixed

d022762b4635598ce76cae248b68a27b091d3805

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "9.6.0"
        }
    ]
}

Affected versions

0.*

0.9.33

0.9.34

0.9.35

0.9.36

0.9.37

v0.*

v0.9.38

v0.9.39

v0.9.40

v0.9.41

v0.9.42

v0.9.43

v0.9.44

v1.*

v1.0.0

v1.1.0

v1.10.0

v1.11.0

v1.12.0

v1.13.0

v1.14.0

v1.15.0

v1.16.0

v1.17.0

v1.18.0

v1.19.0

v1.2.0

v1.20.0

v1.21.0

v1.22.0

v1.23.0

v1.24.0

v1.25.0

v1.26.0

v1.27.0

v1.28.0

v1.29.0

v1.3.0

v1.30.0

v1.31.0

v1.32.0

v1.33.0

v1.34.0

v1.35.0

v1.36.0

v1.37.0

v1.38.0

v1.39.0

v1.4.0

v1.40.0

v1.41.0

v1.42.0

v1.43.0

v1.44.0

v1.45.0

v1.46.0

v1.47.0

v1.48.0

v1.5.0

v1.6.0

v1.7.0

v1.8.0

v1.9.0

v2.*

v2.0.0

v2.1.0

v2.10.0

v2.11.0

v2.12.0

v2.13.0

v2.14.0

v2.15.0

v2.16.0

v2.17.0

v2.18.0

v2.19.0

v2.2.0

v2.20.0

v2.21.0

v2.22.0

v2.23.0

v2.24.0

v2.25.0

v2.26.0

v2.27.0

v2.28.0

v2.29.0

v2.3.0

v2.30.0

v2.31.0

v2.32.0

v2.32.1

v2.33.0

v2.34.0

v2.35.0

v2.36.0

v2.37.0

v2.37.1

v2.38.0

v2.39.0

v2.4.0

v2.40.0

v2.41.0

v2.42.0

v2.43.0

v2.44.0

v2.44.1

v2.45.0

v2.46.0

v2.47.0

v2.48.0

v2.49.0

v2.5.0

v2.50.0

v2.50.1

v2.51.0

v2.52.0

v2.53.0

v2.54.0

v2.55.0

v2.56.0

v2.57.0

v2.57.1

v2.58.0

v2.59.0

v2.6.0

v2.60.0

v2.61.0

v2.62.0

v2.63.0

v2.64.0

v2.65.0

v2.65.1

v2.66.0

v2.67.0

v2.68.0

v2.69.0

v2.7.0

v2.70.0

v2.71.0

v2.72.0

v2.73.0

v2.74.0

v2.75.0

v2.75.1

v2.76.0

v2.77.0

v2.78.0

v2.79.0

v2.79.1

v2.8.0

v2.80.0

v2.81.0

v2.82.0

v2.83.0

v2.84.0

v2.85.0

v2.85.1

v2.9.0

v3.*

v3.0.0

v3.1.0

v3.1.1

v3.10.0

v3.11.0

v3.11.1

v3.12.0

v3.13.0

v3.14.0

v3.15.0

v3.16.0

v3.17.0

v3.18.0

v3.19.0

v3.2.0

v3.2.1

v3.20.0

v3.21.0

v3.22.0

v3.22.1

v3.23.0

v3.24.0

v3.24.1

v3.24.2

v3.25.0

v3.26.0

v3.26.1

v3.27.0

v3.27.1

v3.28.0

v3.29.0

v3.3.0

v3.30.0

v3.31.0

v3.32.0

v3.33.0

v3.33.1

v3.34.0

v3.35.0

v3.36.0

v3.37.0

v3.38.0

v3.38.1

v3.39.0

v3.39.1

v3.4.0

v3.40.0

v3.40.1

v3.41.0

v3.41.1

v3.41.2

v3.41.3

v3.42.0

v3.43.0

v3.44.0

v3.45.0

v3.45.1

v3.45.2

v3.46.0

v3.47.0

v3.48.0

v3.5.0

v3.6.0

v3.7.0

v3.8.0

v3.9.0

v4.*

v4.0.0

v4.1.0

v4.10.0

v4.10.1

v4.11.0

v4.11.1

v4.11.2

v4.12.0

v4.13.0

v4.14.0

v4.15.0

v4.16.0

v4.17.0

v4.18.0

v4.19.0

v4.2.0

v4.20.0

v4.21.0

v4.22.0

v4.23.0

v4.3.0

v4.4.0

v4.5.0

v4.6.0

v4.7.0

v4.8.0

v4.9.0

v4.9.1

v4.99.17

v5.*

v5.0.0

v5.0.1

v5.1.0

v5.10.0

v5.10.1

v5.11.0

v5.12.0

v5.13.0

v5.14.0

v5.15.0

v5.16.0

v5.16.1

v5.17.0

v5.18.0

v5.19.0

v5.2.0

v5.20.0

v5.21.0

v5.22.0

v5.22.1

v5.23.0

v5.24.0

v5.25.0

v5.26.0

v5.27.0

v5.28.0

v5.29.0

v5.3.0

v5.30.0

v5.31.0

v5.31.1

v5.32.0

v5.33.0

v5.33.1

v5.33.2

v5.34.0

v5.35.0

v5.36.0

v5.37.0

v5.38.0

v5.39.0

v5.39.1

v5.4.0

v5.4.1

v5.4.2

v5.40.0

v5.41.0

v5.42.0

v5.43.0

v5.44.0

v5.5.0

v5.6.0

v5.7.0

v5.7.1

v5.7.2

v5.8.0

v5.8.1

v5.9.0

v6.*

v6.0.0

v6.1.0

v6.10.0

v6.11.0

v6.12.0

v6.13.0

v6.14.0

v6.14.1

v6.15.0

v6.15.1

v6.16.0

v6.17.0

v6.18.0

v6.18.1

v6.19.0

v6.19.1

v6.2.0

v6.2.1

v6.20.0

v6.21.0

v6.22.0

v6.23.0

v6.24.0

v6.25.0

v6.26.0

v6.27.0

v6.28.0

v6.28.1

v6.29.0

v6.3.0

v6.4.0

v6.5.0

v6.6.0

v6.6.1

v6.7.0

v6.7.1

v6.8.0

v6.9.0

v7.*

v7.0.0

v7.1.0

v7.10.0

v7.11.0

v7.12.0

v7.13.0

v7.14.0

v7.15.0

v7.16.0

v7.17.0

v7.18.0

v7.19.0

v7.2.0

v7.20.0

v7.21.0

v7.22.0

v7.23.0

v7.24.0

v7.25.0

v7.26.0

v7.3.0

v7.4.0

v7.5.0

v7.5.1

v7.6.0

v7.7.0

v7.8.0

v7.9.0

v8.*

v8.0.0

v8.0.1

v8.1.0

v8.1.1

v8.10.0

v8.11.0

v8.11.1

v8.12.0

v8.13.0

v8.14.0

v8.15.0

v8.16.0

v8.16.1

v8.16.2

v8.2.0

v8.2.1

v8.2.100

v8.3.0

v8.4.0

v8.5.0

v8.6.0

v8.7.0

v8.8.0

v8.9.0

v9.*

v9.0.0

v9.1.0

v9.2.0

v9.2.1

v9.3.0

v9.3.1

v9.4.0

v9.5.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33206.json"