CVE-2026-30853
MEDIUMcalibre < 9.5.0 - Path Traversal and Arbitrary File Write via RocketBook Input Plugin
Title source: llmDescription
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to 9.5.0, a path traversal vulnerability in the RocketBook (.rb) input plugin (src/calibre/ebooks/rb/reader.py) allows an attacker to write arbitrary files to any path writable by the calibre process when a user opens or converts a crafted .rb file. This is the same bug class fixed in CVE-2026-26065 for the PDB readers, but the fix was never applied to the RB reader. This vulnerability is fixed in 9.5.0.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-7mp7-rfrg-542x
Scores
CVSS v3
5.0
EPSS
0.0021
EPSS Percentile
10.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (2)
calibre-ebook/calibre
< 9.5.0
kovidgoyal/calibre
< 9.5.0
Published
Mar 13, 2026
Tracked Since
Mar 14, 2026