CVE-2025-64486 CRITICAL

CVE-2025-64486: calibre is vulnerable to arbitrary code execution when opening FB2 files

Vendor Kovidgoyal
Product calibre
Weakness CWE-73
Published November 7, 2025
Last update November 13, 2025

CVSS base score

9.3/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

calibre is an e-book manager. In versions 8.13.0 and prior, calibre does not validate filenames when handling binary assets in FB2 files, allowing an attacker to write arbitrary files on the filesystem when viewing or converting a malicious FictionBook file. This can be leveraged to achieve arbitrary code execution. This issue is fixed in version 8.14.0.

Key dates

02Disclosure timeline

November 7, 2025 CVE published
November 13, 2025 Record updated