PYSEC-2026-1232

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/calibreweb/PYSEC-2026-1232.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1232
Aliases
Published
2026-07-07T14:34:44.756067Z
Modified
2026-07-07T17:47:24.626766834Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Generation of Error Message Containing Sensitive Information in janeczku/calibre-web
Details

A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book from a shelf they do not own. This vulnerability discloses private information and affects all versions prior to the fix.

References

Affected packages

PyPI / calibreweb

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.6.15

Affected versions

0.*
0.6.12
0.6.13
0.6.14

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/calibreweb/PYSEC-2026-1232.yaml"