DEBIAN-CVE-2026-27810

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-27810
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-27810.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-27810
Upstream
Published
2026-02-27T20:21:39.780Z
Modified
2026-03-18T04:00:11.109048Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Server allows any authenticated user to inject arbitrary HTTP headers into server responses via an unsanitized content_disposition query parameter in the /get/ and /data-files/get/ endpoints. All users running the calibre Content Server with authentication enabled are affected. The vulnerability is exploitable by any authenticated user and can also be triggered by tricking an authenticated victim into clicking a crafted link. Version 9.4.0 contains a fix for the issue.

References

Affected packages

Debian:11 / calibre

Package

Name
calibre
Purl
pkg:deb/debian/calibre?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*
5.12.0+dfsg-1
5.12.0+dfsg-1+deb11u1
5.12.0+dfsg-1+deb11u2
5.12.0+dfsg-1+deb11u3
5.13.0+dfsg-1
5.14.0+dfsg-1
5.14.0+dfsg-2
5.14.0+dfsg-3
5.14.0+dfsg-4
5.14.0+dfsg-5
5.14.0+dfsg-6
5.14.0+dfsg-7
5.14.0+dfsg-8
5.15.0+dfsg-1
5.15.0+dfsg-2
5.16.1+dfsg-1
5.17.0+dfsg-1
5.17.0+dfsg-2
5.17.0+dfsg-3
5.17.0+dfsg-4
5.18.0+dfsg-1
5.19.0+dfsg-1
5.20.0+dfsg-1
5.20.0+dfsg-2
5.20.0+dfsg-3
5.21.0+dfsg-1
5.22.0+dfsg-1
5.22.0+dfsg-2
5.22.1+dfsg-1
5.23.0+dfsg-1
5.23.0+dfsg-2
5.24.0+dfsg-1
5.25.0+dfsg-1
5.25.0+dfsg-2
5.25.0+dfsg-3
5.26.0+dfsg-1
5.26.0+dfsg-2
5.26.0+dfsg-3
5.26.0+dfsg-4
5.27.0+dfsg-1
5.28.0+dfsg-1
5.29.0+dfsg-1
5.30.0+dfsg-1
5.31.1+dfsg-1
5.31.1+dfsg-2
5.31.1+dfsg-3
5.32.0+dfsg-1
5.32.0+dfsg-2
5.33.0+dfsg-1
5.33.2+dfsg-1
5.34.0+dfsg-1
5.35.0+dfsg-1
5.35.0+dfsg-2
5.35.0+dfsg-3
5.36.0+dfsg-1
5.37.0+dfsg-1
5.38.0+dfsg-1
5.39.0+dfsg-1
5.39.1+dfsg-1
5.39.1+dfsg-2
5.40.0+dfsg-1
5.40.0+dfsg-2
5.41.0+dfsg-1
5.41.0+dfsg-2~bpo11+1
5.41.0+dfsg-2~exp1
5.41.0+dfsg-2
5.42.0+dfsg-1~bpo11+1
5.42.0+dfsg-1
5.43.0+dfsg-1~bpo11+1
5.43.0+dfsg-1
5.44.0+dfsg-1~bpo11+1
5.44.0+dfsg-1~bpo11+2
5.44.0+dfsg-1
6.*
6.0.0+dfsg-1~exp1
6.0.0+dfsg-1~exp2
6.0.0+dfsg-1~exp3
6.0.0+dfsg-1~exp4
6.0.0+dfsg-1~exp5
6.0.0+dfsg-1~exp6
6.0.0+dfsg-1~exp7
6.0.0+dfsg-1~exp8
6.0.0+dfsg-1~exp9
6.0.0+dfsg-1
6.0.0+dfsg-2
6.1.0+dfsg-1
6.2.0+dfsg-1
6.2.1+dfsg-1
6.2.1+dfsg-2
6.2.1+dfsg-3
6.2.1+dfsg-4
6.2.1+dfsg-5
6.2.1+dfsg-6
6.2.1+dfsg-7
6.3.0+dfsg-1
6.3.0+dfsg-2
6.3.0+dfsg-3
6.4.0+dfsg-1
6.5.0+dfsg-1
6.5.0+dfsg-2
6.6.0+dfsg-1
6.6.1+dfsg-1
6.6.1+dfsg-2
6.7.0+dfsg-1
6.7.1+dfsg-1
6.7.1+dfsg-2
6.7.1+dfsg-3
6.7.1+dfsg-4
6.7.1+dfsg-5
6.7.1+dfsg-6
6.8.0+dfsg-1
6.9.0+dfsg-1
6.10.0+dfsg-1
6.10.0+dfsg-2
6.10.0+dfsg-3
6.10.0+dfsg-4
6.10.0+dfsg-5
6.11.0+dfsg-1~exp1
6.11.0+dfsg-1
6.11.0+dfsg-2
6.13.0-1~exp1
6.13.0-1~exp2
6.13.0-1~exp3
6.13.0+repack-1~exp1
6.13.0+repack-1~exp2
6.13.0+repack-1
6.13.0+repack-2
6.14.0-1
6.14.1-1
6.15.0-1
6.15.1-1
6.15.1-2
6.15.1-3
6.15.1-4
6.16.0-1
6.17.0-1
6.18.1-1
6.18.1-2
6.18.1-3
6.19.1-1
6.20.0-1
6.21.0-1
6.21.0-2
6.22.0-1
6.23.0-1
6.23.0-2
6.24.0-1
6.24.0-2
6.24.0+ds-1
6.25.0+ds-1
6.26.0+ds-1
6.27.0+ds-1
6.28.0+ds-1
6.28.1+ds-1
6.29.0+ds-1
7.*
7.0.0+ds-1
7.1.0+ds-1
7.1.0+ds-2
7.2.0+ds-1
7.3.0+ds-1
7.4.0+ds-1
7.5.1+ds-1
7.5.1+ds-2
7.5.1+ds-3
7.6.0+ds-1
7.7.0+ds-1
7.7.0+ds-2
7.8.0+ds1-1
7.8.0+ds1-2
7.8.0+ds2-1
7.9.0+ds-1
7.9.0+ds-2
7.10.0+ds-1
7.11.0+ds-1
7.12.0+ds-1
7.12.0+ds-2
7.12.0+ds-3
7.13.0+ds-1
7.13.0+ds-2
7.14.0+ds-1
7.15.0+ds-1
7.16.0+ds-1
7.16.0+ds-2
7.16.0+ds-3
7.17.0+ds-1
7.17.0+ds-2
7.17.0+ds-3
7.17.0+ds-4
7.18.0+ds-1
7.19.0+ds-1
7.19.0+ds-2
7.20.0+ds-1
7.21.0+ds-1
7.21.0+ds-2
7.22.0+ds-1
7.22.0+ds-2
7.23.0+ds-1
7.23.0+ds-2
7.24.0+ds-1
7.24.0+ds-2
7.25.0+ds-1
7.26.0+ds-1
7.26.0+ds-2
7.26.0+ds-3
7.26.0+ds-4
8.*
8.0.0+ds-1
8.0.1+ds-1
8.1.0+ds-1
8.1.1+ds-1
8.2.1+ds-1
8.2.100+ds-1
8.3.0+ds-1
8.4.0+ds-1
8.4.0+ds1-1~exp1
8.5.0+ds-1
8.6.0+ds-1
8.7.0+ds-1
8.8.0+ds-1
8.8.0+ds-2
8.8.0+ds-2+gcc15
8.8.0+ds-3
8.9.0+ds-1
8.9.0+ds-2
8.9.0+ds-3
8.9.0+ds-4
8.10.0+ds-1
8.10.0+ds-2
8.10.0+ds-3
8.11.0+ds+~0.10.5-1
8.11.1+ds+~0.10.5-1
8.11.1+ds+~0.10.5-2
8.11.1+ds+~0.10.5-3
8.12.0+ds+~0.10.5-1
8.13.0+ds+~0.10.5-1
8.13.0+ds+~0.10.5-2
8.13.0+ds+~0.10.5-3
8.14.0+ds+~0.10.5-1~bpo13+1
8.14.0+ds+~0.10.5-1
8.15.0+ds+~0.10.5-1~bpo13+1
8.15.0+ds+~0.10.5-1
8.15.0+ds+~0.10.5-2
8.16.0+ds+~0.10.5-1
8.16.0+ds+~0.10.5-2
8.16.1+ds+~0.10.5-1
8.16.2+ds+~0.10.5-1
8.16.2+ds+~0.10.5-2
8.16.2+ds+~0.10.5-3~bpo13+1
8.16.2+ds+~0.10.5-3
9.*
9.0.0+ds+~0.10.5-1
9.1.0+ds+~0.10.5-1
9.2.0+ds+~0.10.5-1
9.2.1+ds+~0.10.5-1
9.2.1+ds+~0.10.5-2
9.3.0+ds+~0.10.5-1
9.3.1+ds+~0.10.5-1
9.4.0+ds+~0.10.5-1
9.5.0+ds+~0.10.5-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-27810.json"

Debian:12 / calibre

Package

Name
calibre
Purl
pkg:deb/debian/calibre?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

6.*
6.13.0+repack-2
6.13.0+repack-2+deb12u1
6.13.0+repack-2+deb12u2
6.13.0+repack-2+deb12u3
6.13.0+repack-2+deb12u4
6.13.0+repack-2+deb12u5
6.14.0-1
6.14.1-1
6.15.0-1
6.15.1-1
6.15.1-2
6.15.1-3
6.15.1-4
6.16.0-1
6.17.0-1
6.18.1-1
6.18.1-2
6.18.1-3
6.19.1-1
6.20.0-1
6.21.0-1
6.21.0-2
6.22.0-1
6.23.0-1
6.23.0-2
6.24.0-1
6.24.0-2
6.24.0+ds-1
6.25.0+ds-1
6.26.0+ds-1
6.27.0+ds-1
6.28.0+ds-1
6.28.1+ds-1
6.29.0+ds-1
7.*
7.0.0+ds-1
7.1.0+ds-1
7.1.0+ds-2
7.2.0+ds-1
7.3.0+ds-1
7.4.0+ds-1
7.5.1+ds-1
7.5.1+ds-2
7.5.1+ds-3
7.6.0+ds-1
7.7.0+ds-1
7.7.0+ds-2
7.8.0+ds1-1
7.8.0+ds1-2
7.8.0+ds2-1
7.9.0+ds-1
7.9.0+ds-2
7.10.0+ds-1
7.11.0+ds-1
7.12.0+ds-1
7.12.0+ds-2
7.12.0+ds-3
7.13.0+ds-1
7.13.0+ds-2
7.14.0+ds-1
7.15.0+ds-1
7.16.0+ds-1
7.16.0+ds-2
7.16.0+ds-3
7.17.0+ds-1
7.17.0+ds-2
7.17.0+ds-3
7.17.0+ds-4
7.18.0+ds-1
7.19.0+ds-1
7.19.0+ds-2
7.20.0+ds-1
7.21.0+ds-1
7.21.0+ds-2
7.22.0+ds-1
7.22.0+ds-2
7.23.0+ds-1
7.23.0+ds-2
7.24.0+ds-1
7.24.0+ds-2
7.25.0+ds-1
7.26.0+ds-1
7.26.0+ds-2
7.26.0+ds-3
7.26.0+ds-4
8.*
8.0.0+ds-1
8.0.1+ds-1
8.1.0+ds-1
8.1.1+ds-1
8.2.1+ds-1
8.2.100+ds-1
8.3.0+ds-1
8.4.0+ds-1
8.4.0+ds1-1~exp1
8.5.0+ds-1
8.6.0+ds-1
8.7.0+ds-1
8.8.0+ds-1
8.8.0+ds-2
8.8.0+ds-2+gcc15
8.8.0+ds-3
8.9.0+ds-1
8.9.0+ds-2
8.9.0+ds-3
8.9.0+ds-4
8.10.0+ds-1
8.10.0+ds-2
8.10.0+ds-3
8.11.0+ds+~0.10.5-1
8.11.1+ds+~0.10.5-1
8.11.1+ds+~0.10.5-2
8.11.1+ds+~0.10.5-3
8.12.0+ds+~0.10.5-1
8.13.0+ds+~0.10.5-1
8.13.0+ds+~0.10.5-2
8.13.0+ds+~0.10.5-3
8.14.0+ds+~0.10.5-1~bpo13+1
8.14.0+ds+~0.10.5-1
8.15.0+ds+~0.10.5-1~bpo13+1
8.15.0+ds+~0.10.5-1
8.15.0+ds+~0.10.5-2
8.16.0+ds+~0.10.5-1
8.16.0+ds+~0.10.5-2
8.16.1+ds+~0.10.5-1
8.16.2+ds+~0.10.5-1
8.16.2+ds+~0.10.5-2
8.16.2+ds+~0.10.5-3~bpo13+1
8.16.2+ds+~0.10.5-3
9.*
9.0.0+ds+~0.10.5-1
9.1.0+ds+~0.10.5-1
9.2.0+ds+~0.10.5-1
9.2.1+ds+~0.10.5-1
9.2.1+ds+~0.10.5-2
9.3.0+ds+~0.10.5-1
9.3.1+ds+~0.10.5-1
9.4.0+ds+~0.10.5-1
9.5.0+ds+~0.10.5-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-27810.json"

Debian:13 / calibre

Package

Name
calibre
Purl
pkg:deb/debian/calibre?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

8.*
8.5.0+ds-1
8.5.0+ds-1+deb13u1
8.6.0+ds-1
8.7.0+ds-1
8.8.0+ds-1
8.8.0+ds-2
8.8.0+ds-2+gcc15
8.8.0+ds-3
8.9.0+ds-1
8.9.0+ds-2
8.9.0+ds-3
8.9.0+ds-4
8.10.0+ds-1
8.10.0+ds-2
8.10.0+ds-3
8.11.0+ds+~0.10.5-1
8.11.1+ds+~0.10.5-1
8.11.1+ds+~0.10.5-2
8.11.1+ds+~0.10.5-3
8.12.0+ds+~0.10.5-1
8.13.0+ds+~0.10.5-1
8.13.0+ds+~0.10.5-2
8.13.0+ds+~0.10.5-3
8.14.0+ds+~0.10.5-1~bpo13+1
8.14.0+ds+~0.10.5-1
8.15.0+ds+~0.10.5-1~bpo13+1
8.15.0+ds+~0.10.5-1
8.15.0+ds+~0.10.5-2
8.16.0+ds+~0.10.5-1
8.16.0+ds+~0.10.5-2
8.16.1+ds+~0.10.5-1
8.16.2+ds+~0.10.5-1
8.16.2+ds+~0.10.5-2
8.16.2+ds+~0.10.5-3~bpo13+1
8.16.2+ds+~0.10.5-3
9.*
9.0.0+ds+~0.10.5-1
9.1.0+ds+~0.10.5-1
9.2.0+ds+~0.10.5-1
9.2.1+ds+~0.10.5-1
9.2.1+ds+~0.10.5-2
9.3.0+ds+~0.10.5-1
9.3.1+ds+~0.10.5-1
9.4.0+ds+~0.10.5-1
9.5.0+ds+~0.10.5-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-27810.json"

Debian:14 / calibre

Package

Name
calibre
Purl
pkg:deb/debian/calibre?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.4.0+ds+~0.10.5-1

Affected versions

8.*
8.5.0+ds-1
8.6.0+ds-1
8.7.0+ds-1
8.8.0+ds-1
8.8.0+ds-2
8.8.0+ds-2+gcc15
8.8.0+ds-3
8.9.0+ds-1
8.9.0+ds-2
8.9.0+ds-3
8.9.0+ds-4
8.10.0+ds-1
8.10.0+ds-2
8.10.0+ds-3
8.11.0+ds+~0.10.5-1
8.11.1+ds+~0.10.5-1
8.11.1+ds+~0.10.5-2
8.11.1+ds+~0.10.5-3
8.12.0+ds+~0.10.5-1
8.13.0+ds+~0.10.5-1
8.13.0+ds+~0.10.5-2
8.13.0+ds+~0.10.5-3
8.14.0+ds+~0.10.5-1~bpo13+1
8.14.0+ds+~0.10.5-1
8.15.0+ds+~0.10.5-1~bpo13+1
8.15.0+ds+~0.10.5-1
8.15.0+ds+~0.10.5-2
8.16.0+ds+~0.10.5-1
8.16.0+ds+~0.10.5-2
8.16.1+ds+~0.10.5-1
8.16.2+ds+~0.10.5-1
8.16.2+ds+~0.10.5-2
8.16.2+ds+~0.10.5-3~bpo13+1
8.16.2+ds+~0.10.5-3
9.*
9.0.0+ds+~0.10.5-1
9.1.0+ds+~0.10.5-1
9.2.0+ds+~0.10.5-1
9.2.1+ds+~0.10.5-1
9.2.1+ds+~0.10.5-2
9.3.0+ds+~0.10.5-1
9.3.1+ds+~0.10.5-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-27810.json"