{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33205", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T23:23:58.312Z", "datePublished": "2026-03-27T13:52:06.860Z", "dateUpdated": "2026-03-27T19:58:43.747Z"}, "containers": {"cna": {"title": "calibre has Server-Side Request Forgery in ebook viewer backend", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v"}], "affected": [{"vendor": "kovidgoyal", "product": "calibre", "versions": [{"version": "< 9.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T13:52:06.860Z"}, "descriptions": [{"lang": "en", "value": "calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue."}], "source": {"advisory": "GHSA-4926-v9px-wv7v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T18:57:50.837886Z", "id": "CVE-2026-33205", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:58:43.747Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33205", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T18:57:50.837886Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T18:57:56.907Z"}}], "cna": {"title": "calibre has Server-Side Request Forgery in ebook viewer backend", "source": {"advisory": "GHSA-4926-v9px-wv7v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "kovidgoyal", "product": "calibre", "versions": [{"status": "affected", "version": "< 9.6.0"}]}], "references": [{"url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v", "name": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T13:52:06.860Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33205", "state": "PUBLISHED", "dateUpdated": "2026-03-27T19:58:43.747Z", "dateReserved": "2026-03-17T23:23:58.312Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T13:52:06.860Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue."}], "id": "CVE-2026-33205", "lastModified": "2026-03-30T13:26:29.793", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T15:16:54.277", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.6.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "calibre", "source": "cna", "vendor": "kovidgoyal"}, "product": "calibre", "vendor": "kovidgoyal"}], "analysis": {"en": {"generated_at": "2026-03-27T17:24:46.422040+00:00", "value": {"mitigation_remediation": ["Upgrade Calibre to version 9.6.0 or newer."], "summary": {"action": "Apply Patch", "impact": "Server\u2011Side Request Forgery enabling blind GET requests to arbitrary URLs"}, "threat_synthesis": {"affected_systems": "All releases of Calibre built by Kovid Goyal before version 9.6.0 are affected. The issue exists in the desktop distribution on any operating system supported by Calibre. Users who open e\u2011books that contain malicious content that references an arbitrary URL in the background\u2011image field are at risk.", "description_and_impact": "The vulnerability is present in the background\u2011image endpoint of Calibre\u2019s ebook viewer web backend. It allows a server\u2011side request forgery that enables an attacker to send blind GET requests to arbitrary external URLs from within the application, bypassing the restrictions of the ebook sandbox. This can result in the exfiltration of information such as metadata or internal data that the application may access.", "risk_and_exploitability": "The listed CVSS base score of 4.8 indicates medium severity. No EPSS score is available and the vulnerability is not in the KEV catalog. Exploitation requires an attacker to supply a malicious e\u2011book that a user opens in Calibre, which then triggers the vulnerable endpoint. The likely attack vector is user interaction with a crafted e\u2011book; this inference is drawn from the description of the background\u2011image endpoint. Because only the vulnerability exists when the application processes user\u2011supplied content, the probability of exploitation depends on the user opening such a book."}}}}, "created": "2026-03-27T20:28:49.559917+00:00", "updated": "2026-03-30T07:02:01.328616+00:00", "vendors": ["kovidgoyal", "kovidgoyal$PRODUCT$calibre"]}