DEBIAN-CVE-2026-26064

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-26064

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-26064.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-26064

Upstream

CVE-2026-26064

Published

2026-02-20T02:16:52.703Z

Modified

2026-02-21T10:39:01.055182Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below contain a Path Traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows, this leads to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. Function extractpictures only checks startswith('Pictures'), and does not sanitize '..' sequences. calibre's own ZipFile.extractall() in utils/zipfile.py does sanitize '..' via _gettargetpath(), but extract_pictures() bypasses this by using manual zf.read() + open(). This issue has been fixed in version 9.3.0.

References

https://security-tracker.debian.org/tracker/CVE-2026-26064

Affected packages

Debian:11 / calibre

Package

Name: calibre
Purl: pkg:deb/debian/calibre?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.12.0+dfsg-1

5.12.0+dfsg-1+deb11u1

5.12.0+dfsg-1+deb11u2

5.12.0+dfsg-1+deb11u3

5.13.0+dfsg-1

5.14.0+dfsg-1

5.14.0+dfsg-2

5.14.0+dfsg-3

5.14.0+dfsg-4

5.14.0+dfsg-5

5.14.0+dfsg-6

5.14.0+dfsg-7

5.14.0+dfsg-8

5.15.0+dfsg-1

5.15.0+dfsg-2

5.16.1+dfsg-1

5.17.0+dfsg-1

5.17.0+dfsg-2

5.17.0+dfsg-3

5.17.0+dfsg-4

5.18.0+dfsg-1

5.19.0+dfsg-1

5.20.0+dfsg-1

5.20.0+dfsg-2

5.20.0+dfsg-3

5.21.0+dfsg-1

5.22.0+dfsg-1

5.22.0+dfsg-2

5.22.1+dfsg-1

5.23.0+dfsg-1

5.23.0+dfsg-2

5.24.0+dfsg-1

5.25.0+dfsg-1

5.25.0+dfsg-2

5.25.0+dfsg-3

5.26.0+dfsg-1

5.26.0+dfsg-2

5.26.0+dfsg-3

5.26.0+dfsg-4

5.27.0+dfsg-1

5.28.0+dfsg-1

5.29.0+dfsg-1

5.30.0+dfsg-1

5.31.1+dfsg-1

5.31.1+dfsg-2

5.31.1+dfsg-3

5.32.0+dfsg-1

5.32.0+dfsg-2

5.33.0+dfsg-1

5.33.2+dfsg-1

5.34.0+dfsg-1

5.35.0+dfsg-1

5.35.0+dfsg-2

5.35.0+dfsg-3

5.36.0+dfsg-1

5.37.0+dfsg-1

5.38.0+dfsg-1

5.39.0+dfsg-1

5.39.1+dfsg-1

5.39.1+dfsg-2

5.40.0+dfsg-1

5.40.0+dfsg-2

5.41.0+dfsg-1

5.41.0+dfsg-2~bpo11+1

5.41.0+dfsg-2~exp1

5.41.0+dfsg-2

5.42.0+dfsg-1~bpo11+1

5.42.0+dfsg-1

5.43.0+dfsg-1~bpo11+1

5.43.0+dfsg-1

5.44.0+dfsg-1~bpo11+1

5.44.0+dfsg-1~bpo11+2

5.44.0+dfsg-1

6.*

6.0.0+dfsg-1~exp1

6.0.0+dfsg-1~exp2

6.0.0+dfsg-1~exp3

6.0.0+dfsg-1~exp4

6.0.0+dfsg-1~exp5

6.0.0+dfsg-1~exp6

6.0.0+dfsg-1~exp7

6.0.0+dfsg-1~exp8

6.0.0+dfsg-1~exp9

6.0.0+dfsg-1

6.0.0+dfsg-2

6.1.0+dfsg-1

6.2.0+dfsg-1

6.2.1+dfsg-1

6.2.1+dfsg-2

6.2.1+dfsg-3

6.2.1+dfsg-4

6.2.1+dfsg-5

6.2.1+dfsg-6

6.2.1+dfsg-7

6.3.0+dfsg-1

6.3.0+dfsg-2

6.3.0+dfsg-3

6.4.0+dfsg-1

6.5.0+dfsg-1

6.5.0+dfsg-2

6.6.0+dfsg-1

6.6.1+dfsg-1

6.6.1+dfsg-2

6.7.0+dfsg-1

6.7.1+dfsg-1

6.7.1+dfsg-2

6.7.1+dfsg-3

6.7.1+dfsg-4

6.7.1+dfsg-5

6.7.1+dfsg-6

6.8.0+dfsg-1

6.9.0+dfsg-1

6.10.0+dfsg-1

6.10.0+dfsg-2

6.10.0+dfsg-3

6.10.0+dfsg-4

6.10.0+dfsg-5

6.11.0+dfsg-1~exp1

6.11.0+dfsg-1

6.11.0+dfsg-2

6.13.0-1~exp1

6.13.0-1~exp2

6.13.0-1~exp3

6.13.0+repack-1~exp1

6.13.0+repack-1~exp2

6.13.0+repack-1

6.13.0+repack-2

6.14.0-1

6.14.1-1

6.15.0-1

6.15.1-1

6.15.1-2

6.15.1-3

6.15.1-4

6.16.0-1

6.17.0-1

6.18.1-1

6.18.1-2

6.18.1-3

6.19.1-1

6.20.0-1

6.21.0-1

6.21.0-2

6.22.0-1

6.23.0-1

6.23.0-2

6.24.0-1

6.24.0-2

6.24.0+ds-1

6.25.0+ds-1

6.26.0+ds-1

6.27.0+ds-1

6.28.0+ds-1

6.28.1+ds-1

6.29.0+ds-1

7.*

7.0.0+ds-1

7.1.0+ds-1

7.1.0+ds-2

7.2.0+ds-1

7.3.0+ds-1

7.4.0+ds-1

7.5.1+ds-1

7.5.1+ds-2

7.5.1+ds-3

7.6.0+ds-1

7.7.0+ds-1

7.7.0+ds-2

7.8.0+ds1-1

7.8.0+ds1-2

7.8.0+ds2-1

7.9.0+ds-1

7.9.0+ds-2

7.10.0+ds-1

7.11.0+ds-1

7.12.0+ds-1

7.12.0+ds-2

7.12.0+ds-3

7.13.0+ds-1

7.13.0+ds-2

7.14.0+ds-1

7.15.0+ds-1

7.16.0+ds-1

7.16.0+ds-2

7.16.0+ds-3

7.17.0+ds-1

7.17.0+ds-2

7.17.0+ds-3

7.17.0+ds-4

7.18.0+ds-1

7.19.0+ds-1

7.19.0+ds-2

7.20.0+ds-1

7.21.0+ds-1

7.21.0+ds-2

7.22.0+ds-1

7.22.0+ds-2

7.23.0+ds-1

7.23.0+ds-2

7.24.0+ds-1

7.24.0+ds-2

7.25.0+ds-1

7.26.0+ds-1

7.26.0+ds-2

7.26.0+ds-3

7.26.0+ds-4

8.*

8.0.0+ds-1

8.0.1+ds-1

8.1.0+ds-1

8.1.1+ds-1

8.2.1+ds-1

8.2.100+ds-1

8.3.0+ds-1

8.4.0+ds-1

8.4.0+ds1-1~exp1

8.5.0+ds-1

8.6.0+ds-1

8.7.0+ds-1

8.8.0+ds-1

8.8.0+ds-2

8.8.0+ds-2+gcc15

8.8.0+ds-3

8.9.0+ds-1

8.9.0+ds-2

8.9.0+ds-3

8.9.0+ds-4

8.10.0+ds-1

8.10.0+ds-2

8.10.0+ds-3

8.11.0+ds+~0.10.5-1

8.11.1+ds+~0.10.5-1

8.11.1+ds+~0.10.5-2

8.11.1+ds+~0.10.5-3

8.12.0+ds+~0.10.5-1

8.13.0+ds+~0.10.5-1

8.13.0+ds+~0.10.5-2

8.13.0+ds+~0.10.5-3

8.14.0+ds+~0.10.5-1~bpo13+1

8.14.0+ds+~0.10.5-1

8.15.0+ds+~0.10.5-1~bpo13+1

8.15.0+ds+~0.10.5-1

8.15.0+ds+~0.10.5-2

8.16.0+ds+~0.10.5-1

8.16.0+ds+~0.10.5-2

8.16.1+ds+~0.10.5-1

8.16.2+ds+~0.10.5-1

8.16.2+ds+~0.10.5-2

8.16.2+ds+~0.10.5-3~bpo13+1

8.16.2+ds+~0.10.5-3

9.*

9.0.0+ds+~0.10.5-1

9.1.0+ds+~0.10.5-1

9.2.0+ds+~0.10.5-1

9.2.1+ds+~0.10.5-1

9.2.1+ds+~0.10.5-2

9.3.0+ds+~0.10.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-26064.json"

Debian:12 / calibre

Package

Name: calibre
Purl: pkg:deb/debian/calibre?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.13.0+repack-2

6.13.0+repack-2+deb12u1

6.13.0+repack-2+deb12u2

6.13.0+repack-2+deb12u3

6.13.0+repack-2+deb12u4

6.13.0+repack-2+deb12u5

6.14.0-1

6.14.1-1

6.15.0-1

6.15.1-1

6.15.1-2

6.15.1-3

6.15.1-4

6.16.0-1

6.17.0-1

6.18.1-1

6.18.1-2

6.18.1-3

6.19.1-1

6.20.0-1

6.21.0-1

6.21.0-2

6.22.0-1

6.23.0-1

6.23.0-2

6.24.0-1

6.24.0-2

6.24.0+ds-1

6.25.0+ds-1

6.26.0+ds-1

6.27.0+ds-1

6.28.0+ds-1

6.28.1+ds-1

6.29.0+ds-1

7.*

7.0.0+ds-1

7.1.0+ds-1

7.1.0+ds-2

7.2.0+ds-1

7.3.0+ds-1

7.4.0+ds-1

7.5.1+ds-1

7.5.1+ds-2

7.5.1+ds-3

7.6.0+ds-1

7.7.0+ds-1

7.7.0+ds-2

7.8.0+ds1-1

7.8.0+ds1-2

7.8.0+ds2-1

7.9.0+ds-1

7.9.0+ds-2

7.10.0+ds-1

7.11.0+ds-1

7.12.0+ds-1

7.12.0+ds-2

7.12.0+ds-3

7.13.0+ds-1

7.13.0+ds-2

7.14.0+ds-1

7.15.0+ds-1

7.16.0+ds-1

7.16.0+ds-2

7.16.0+ds-3

7.17.0+ds-1

7.17.0+ds-2

7.17.0+ds-3

7.17.0+ds-4

7.18.0+ds-1

7.19.0+ds-1

7.19.0+ds-2

7.20.0+ds-1

7.21.0+ds-1

7.21.0+ds-2

7.22.0+ds-1

7.22.0+ds-2

7.23.0+ds-1

7.23.0+ds-2

7.24.0+ds-1

7.24.0+ds-2

7.25.0+ds-1

7.26.0+ds-1

7.26.0+ds-2

7.26.0+ds-3

7.26.0+ds-4

8.*

8.0.0+ds-1

8.0.1+ds-1

8.1.0+ds-1

8.1.1+ds-1

8.2.1+ds-1

8.2.100+ds-1

8.3.0+ds-1

8.4.0+ds-1

8.4.0+ds1-1~exp1

8.5.0+ds-1

8.6.0+ds-1

8.7.0+ds-1

8.8.0+ds-1

8.8.0+ds-2

8.8.0+ds-2+gcc15

8.8.0+ds-3

8.9.0+ds-1

8.9.0+ds-2

8.9.0+ds-3

8.9.0+ds-4

8.10.0+ds-1

8.10.0+ds-2

8.10.0+ds-3

8.11.0+ds+~0.10.5-1

8.11.1+ds+~0.10.5-1

8.11.1+ds+~0.10.5-2

8.11.1+ds+~0.10.5-3

8.12.0+ds+~0.10.5-1

8.13.0+ds+~0.10.5-1

8.13.0+ds+~0.10.5-2

8.13.0+ds+~0.10.5-3

8.14.0+ds+~0.10.5-1~bpo13+1

8.14.0+ds+~0.10.5-1

8.15.0+ds+~0.10.5-1~bpo13+1

8.15.0+ds+~0.10.5-1

8.15.0+ds+~0.10.5-2

8.16.0+ds+~0.10.5-1

8.16.0+ds+~0.10.5-2

8.16.1+ds+~0.10.5-1

8.16.2+ds+~0.10.5-1

8.16.2+ds+~0.10.5-2

8.16.2+ds+~0.10.5-3~bpo13+1

8.16.2+ds+~0.10.5-3

9.*

9.0.0+ds+~0.10.5-1

9.1.0+ds+~0.10.5-1

9.2.0+ds+~0.10.5-1

9.2.1+ds+~0.10.5-1

9.2.1+ds+~0.10.5-2

9.3.0+ds+~0.10.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-26064.json"

Debian:13 / calibre

Package

Name: calibre
Purl: pkg:deb/debian/calibre?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.5.0+ds-1

8.5.0+ds-1+deb13u1

8.6.0+ds-1

8.7.0+ds-1

8.8.0+ds-1

8.8.0+ds-2

8.8.0+ds-2+gcc15

8.8.0+ds-3

8.9.0+ds-1

8.9.0+ds-2

8.9.0+ds-3

8.9.0+ds-4

8.10.0+ds-1

8.10.0+ds-2

8.10.0+ds-3

8.11.0+ds+~0.10.5-1

8.11.1+ds+~0.10.5-1

8.11.1+ds+~0.10.5-2

8.11.1+ds+~0.10.5-3

8.12.0+ds+~0.10.5-1

8.13.0+ds+~0.10.5-1

8.13.0+ds+~0.10.5-2

8.13.0+ds+~0.10.5-3

8.14.0+ds+~0.10.5-1~bpo13+1

8.14.0+ds+~0.10.5-1

8.15.0+ds+~0.10.5-1~bpo13+1

8.15.0+ds+~0.10.5-1

8.15.0+ds+~0.10.5-2

8.16.0+ds+~0.10.5-1

8.16.0+ds+~0.10.5-2

8.16.1+ds+~0.10.5-1

8.16.2+ds+~0.10.5-1

8.16.2+ds+~0.10.5-2

8.16.2+ds+~0.10.5-3~bpo13+1

8.16.2+ds+~0.10.5-3

9.*

9.0.0+ds+~0.10.5-1

9.1.0+ds+~0.10.5-1

9.2.0+ds+~0.10.5-1

9.2.1+ds+~0.10.5-1

9.2.1+ds+~0.10.5-2

9.3.0+ds+~0.10.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-26064.json"

Debian:14 / calibre

Package

Name: calibre
Purl: pkg:deb/debian/calibre?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.5.0+ds-1

8.6.0+ds-1

8.7.0+ds-1

8.8.0+ds-1

8.8.0+ds-2

8.8.0+ds-2+gcc15

8.8.0+ds-3

8.9.0+ds-1

8.9.0+ds-2

8.9.0+ds-3

8.9.0+ds-4

8.10.0+ds-1

8.10.0+ds-2

8.10.0+ds-3

8.11.0+ds+~0.10.5-1

8.11.1+ds+~0.10.5-1

8.11.1+ds+~0.10.5-2

8.11.1+ds+~0.10.5-3

8.12.0+ds+~0.10.5-1

8.13.0+ds+~0.10.5-1

8.13.0+ds+~0.10.5-2

8.13.0+ds+~0.10.5-3

8.14.0+ds+~0.10.5-1~bpo13+1

8.14.0+ds+~0.10.5-1

8.15.0+ds+~0.10.5-1~bpo13+1

8.15.0+ds+~0.10.5-1

8.15.0+ds+~0.10.5-2

8.16.0+ds+~0.10.5-1

8.16.0+ds+~0.10.5-2

8.16.1+ds+~0.10.5-1

8.16.2+ds+~0.10.5-1

8.16.2+ds+~0.10.5-2

8.16.2+ds+~0.10.5-3~bpo13+1

8.16.2+ds+~0.10.5-3

9.*

9.0.0+ds+~0.10.5-1

9.1.0+ds+~0.10.5-1

9.2.0+ds+~0.10.5-1

9.2.1+ds+~0.10.5-1

9.2.1+ds+~0.10.5-2

9.3.0+ds+~0.10.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-26064.json"