CVE-2026-33205 MEDIUM

CVE-2026-33205: calibre has Server-Side Request Forgery in ebook viewer backend

Vendor Kovidgoyal

Product calibre

Weakness CWE-918 · SSRF

Published March 27, 2026

Last update March 27, 2026

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Local

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.

Key dates

02Disclosure timeline

March 27, 2026 CVE published

March 27, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-33205

Related vulnerabilities

CVE-2026-33205: calibre has Server-Side Request Forgery in ebook viewer backend

01Description

02Disclosure timeline

03References

04Related CVE