CVE-2023-46303 in calibreinfo

Summary

by MITRE • 10/25/2023

link_to_local_path in ebooks/conversion/plugins/html_input.py in calibre before 6.19.0 can, by default, add resources outside of the document root.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 02/14/2026

The vulnerability identified as CVE-2023-46303 affects the calibre e-book management software version 6.19.0 and earlier, specifically within the html_input.py conversion plugin. This issue resides in the link_to_local_path function which processes HTML input during e-book conversion operations. The flaw represents a path traversal vulnerability that allows malicious actors to manipulate resource paths and potentially access files outside of the designated document root directory. The vulnerability stems from insufficient input validation and path handling within the conversion pipeline, creating an opportunity for unauthorized file system access.

The technical implementation of this vulnerability occurs when calibre processes HTML documents containing local file references that are converted to local paths. The link_to_local_path function fails to properly sanitize or validate the input paths, allowing specially crafted relative path references to traverse beyond the intended document root boundaries. This type of vulnerability falls under the CWE-22 category for Improper Limitation of a Pathname to a Restricted Directory, commonly known as Path Traversal or Directory Traversal. The vulnerability is particularly concerning because it operates within the conversion framework where users might expect safe handling of external content, especially when processing HTML documents from untrusted sources.

Operationally, this vulnerability could enable attackers to access sensitive files on the system where calibre is running, potentially exposing user data, configuration files, or system resources. The impact is significant because calibre is widely used for managing e-book collections and processing various document formats, making it a target for attackers seeking to exploit the conversion pipeline. When users process HTML documents containing malicious path references, the vulnerability could allow extraction of arbitrary files from the file system, depending on the permissions of the calibre process. This represents a critical security risk in environments where calibre processes documents from untrusted sources or where users have limited security awareness about the potential dangers of processing external HTML content.

The recommended mitigation strategy involves upgrading to calibre version 6.19.0 or later, which includes patches addressing the path traversal vulnerability in the html_input.py plugin. System administrators should also implement strict input validation for any HTML content processed through calibre, particularly when dealing with user-generated or external documents. Additional protective measures include running calibre with minimal required privileges, implementing proper file system access controls, and monitoring conversion operations for suspicious path patterns. Organizations should consider implementing network segmentation and access controls to limit exposure of calibre systems to untrusted networks. This vulnerability aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter: Python, as it exploits the Python-based conversion framework to manipulate file system access patterns. The remediation approach should include regular security updates, comprehensive testing of conversion workflows, and implementation of principle of least privilege for calibre process execution to minimize potential impact of similar vulnerabilities in the future.

Reservation

10/22/2023

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.01352

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!