UBUNTU-CVE-2026-53511

Source
https://ubuntu.com/security/CVE-2026-53511
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-53511.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-53511
Upstream
Published
2026-07-07T21:17:00Z
Modified
2026-07-09T17:17:06.999952301Z
Severity
  • 8.5 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

calibre is an e-book manager. Prior to 9.10.0, a malicious EPUB, OPF, or PDF file can execute arbitrary Python code when its metadata is read by calibre, including through Add books or Edit books, by embedding a custom column definition with a python: template in calibre:user_metadata that is passed unsanitized to exec() in the template formatter. This issue is fixed in version 9.10.0.

References

Affected packages

Ubuntu:16.04:LTS
calibre

Package

Name
calibre
Purl
pkg:deb/ubuntu/calibre?arch=source&distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.33.0+dfsg-1build1
2.38.0+dfsg-1
2.45.0+dfsg-1
2.45.0+dfsg-1build1
2.48.0+dfsg-1
2.48.0+dfsg-1build1
2.54.0+dfsg-1
2.55.0+dfsg-1
2.55.0+dfsg-1ubuntu0.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "calibre",
            "binary_version": "2.55.0+dfsg-1ubuntu0.2"
        },
        {
            "binary_name": "calibre-bin",
            "binary_version": "2.55.0+dfsg-1ubuntu0.2"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-53511.json"
Ubuntu:18.04:LTS
calibre

Package

Name
calibre
Purl
pkg:deb/ubuntu/calibre?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.7.0+dfsg-2
3.7.0+dfsg-2build1
3.12.0+dfsg-1
3.13.0+dfsg-1
3.14.0+dfsg-1
3.15.0.1+dfsg-1
3.16.0+dfsg-1
3.16.0+dfsg-1build1
3.17.0+dfsg-1
3.17.0+dfsg-2
3.18.0+dfsg-1build1
3.19.0+dfsg-1
3.20.0+dfsg-1
3.21.0+dfsg-1
3.21.0+dfsg-1build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "calibre",
            "binary_version": "3.21.0+dfsg-1build1"
        },
        {
            "binary_name": "calibre-bin",
            "binary_version": "3.21.0+dfsg-1build1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-53511.json"
Ubuntu:20.04:LTS
calibre

Package

Name
calibre
Purl
pkg:deb/ubuntu/calibre?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.46.0+dfsg-1
4.*
4.2.0+dfsg-2
4.3.0+dfsg-1
4.3.0+dfsg-2
4.4.0+dfsg-1
4.5.0+dfsg-1
4.5.0+dfsg-2
4.5.0+dfsg-3
4.6.0+dfsg-1
4.7.0+dfsg-1
4.99.3+dfsg-2
4.99.4+dfsg-1
4.99.4+dfsg-1build1
4.99.4+dfsg+really4.10.0+py3-2
4.99.4+dfsg+really4.11.2-1
4.99.4+dfsg+really4.11.2-1build1
4.99.4+dfsg+really4.12.0-1
4.99.4+dfsg+really4.12.0-1build1
4.99.4+dfsg+really4.12.0-1ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "calibre",
            "binary_version": "4.99.4+dfsg+really4.12.0-1ubuntu1"
        },
        {
            "binary_name": "calibre-bin",
            "binary_version": "4.99.4+dfsg+really4.12.0-1ubuntu1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-53511.json"
Ubuntu:22.04:LTS
calibre

Package

Name
calibre
Purl
pkg:deb/ubuntu/calibre?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*
5.25.0+dfsg-2
5.33.2+dfsg-1
5.34.0+dfsg-1
5.35.0+dfsg-1ubuntu2
5.37.0+dfsg-1
5.37.0+dfsg-1build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "calibre",
            "binary_version": "5.37.0+dfsg-1build1"
        },
        {
            "binary_name": "calibre-bin",
            "binary_version": "5.37.0+dfsg-1build1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-53511.json"
Ubuntu:24.04:LTS
calibre

Package

Name
calibre
Purl
pkg:deb/ubuntu/calibre?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

6.*
6.24.0+ds-1
6.29.0+ds-1
7.*
7.0.0+ds-1
7.1.0+ds-1
7.1.0+ds-2
7.2.0+ds-1
7.2.0+ds-1build1
7.3.0+ds-1
7.4.0+ds-1
7.5.1+ds-1
7.5.1+ds-2
7.5.1+ds-3
7.6.0+ds-1
7.6.0+ds-1build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "calibre",
            "binary_version": "7.6.0+ds-1build1"
        },
        {
            "binary_name": "calibre-bin",
            "binary_version": "7.6.0+ds-1build1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-53511.json"
Ubuntu:25.10
calibre

Package

Name
calibre
Purl
pkg:deb/ubuntu/calibre?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7.*
7.26.0+ds-4build1
8.*
8.3.0+ds-1
8.4.0+ds-1
8.5.0+ds-1
8.6.0+ds-1
8.7.0+ds-1
8.8.0+ds-2
8.8.0+ds-3
8.8.0+ds-3build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "calibre",
            "binary_version": "8.8.0+ds-3build1"
        },
        {
            "binary_name": "calibre-bin",
            "binary_version": "8.8.0+ds-3build1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-53511.json"
Ubuntu:26.04:LTS
calibre

Package

Name
calibre
Purl
pkg:deb/ubuntu/calibre?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

8.*
8.8.0+ds-3build1
8.13.0+ds+~0.10.5-3
8.14.0+ds+~0.10.5-1
8.15.0+ds+~0.10.5-1
8.16.0+ds+~0.10.5-2
8.16.2+ds+~0.10.5-1
8.16.2+ds+~0.10.5-2
8.16.2+ds+~0.10.5-3
9.*
9.2.1+ds+~0.10.5-2build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "calibre",
            "binary_version": "9.2.1+ds+~0.10.5-2build1"
        },
        {
            "binary_name": "calibre-bin",
            "binary_version": "9.2.1+ds+~0.10.5-2build1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-53511.json"