CVE-2026-53511
Kovid Goyal · Calibre
The Calibre e-book manager is vulnerable to code injection, which can be triggered when a user processes a maliciously crafted e-book file.
Executive summary
A critical code injection vulnerability in Kovid Goyal Calibre allows for arbitrary code execution if a user is tricked into opening a malicious e-book file.
Vulnerability
This vulnerability is categorized as Improper Control of Generation of Code (CWE-94), specifically code injection. An attacker can craft a malicious e-book file that, when parsed by the application, results in the execution of arbitrary code with the privileges of the user running the software.
Business impact
A successful exploit could result in full system compromise, data theft, or the installation of malware on the end-user's device. Given the CVSS score of 8.5, this represents a significant risk, particularly in environments where Calibre is used to process untrusted e-book files from external sources.
Remediation
Immediate Action: Upgrade to Calibre version 9.10.0 or higher to implement the necessary security patches.
Proactive Monitoring: Monitor user workstations for suspicious outbound network connections or unusual process execution spawned by the Calibre application.
Compensating Controls: Implement endpoint protection solutions that monitor for malicious file execution and restrict application behavior if a suspicious file is opened.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Users and administrators should treat this vulnerability with high urgency. It is recommended that all instances of Calibre be updated to version 9.10.0 immediately to mitigate the risk of code injection and ensure the safety of the host system.