Calibre-Web before 0.6.18 allows user table SQL Injection.
"https://github.com/pypa/advisory-database/blob/main/vulns/calibreweb/PYSEC-2026-305.yaml"