CVE-2025-64486
CRITICALcalibre < 8.14.0 - Arbitrary File Write and Remote Code Execution via FB2 Binary Asset Filename
Title source: llmDescription
calibre is an e-book manager. In versions 8.13.0 and prior, calibre does not validate filenames when handling binary assets in FB2 files, allowing an attacker to write arbitrary files on the filesystem when viewing or converting a malicious FictionBook file. This can be leveraged to achieve arbitrary code execution. This issue is fixed in version 8.14.0.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-hpwq-c98h-xp8g
Scores
CVSS v4
9.3
EPSS
0.0016
EPSS Percentile
5.1%
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-73
Status
published
Products (1)
kovidgoyal/calibre
< 8.14.0
Published
Nov 08, 2025
Tracked Since
Feb 18, 2026