CVE-2026-30853 in calibre
Summary
by MITRE • 03/13/2026
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to 9.5.0, a path traversal vulnerability in the RocketBook (.rb) input plugin (src/calibre/ebooks/rb/reader.py) allows an attacker to write arbitrary files to any path writable by the calibre process when a user opens or converts a crafted .rb file. This is the same bug class fixed in CVE-2026-26065 for the PDB readers, but the fix was never applied to the RB reader. This vulnerability is fixed in 9.5.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability identified as CVE-2026-30853 represents a critical path traversal flaw within the calibre e-book management software ecosystem. This issue specifically affects the RocketBook (.rb) input plugin located at src/calibre/ebooks/rb/reader.py and impacts versions prior to 9.5.0. The vulnerability stems from inadequate input validation and sanitization mechanisms that fail to properly restrict file system access when processing maliciously crafted .rb files. The flaw allows an attacker to manipulate the file system traversal logic and write arbitrary files to any location accessible by the calibre process, creating a significant security risk for users who may inadvertently open compromised e-book files.
This vulnerability belongs to the CWE-22 category, which encompasses path traversal attacks, and represents a classic example of improper input validation that enables unauthorized file system operations. The attack vector is particularly concerning because it leverages user interaction through the opening or conversion of e-book files, making it difficult to detect and prevent without proper security controls. The flaw operates by bypassing normal file access controls and allowing malicious file paths to be interpreted as legitimate system paths, enabling arbitrary file creation, modification, or deletion within the target system's file hierarchy. The vulnerability demonstrates how seemingly innocuous file format processing can become a critical security risk when proper validation mechanisms are absent or insufficient.
The operational impact of this vulnerability extends beyond simple file system manipulation to potentially enable more sophisticated attack scenarios. An attacker could leverage this path traversal capability to overwrite critical system files, inject malicious code into the calibre application, or establish persistence mechanisms within the target environment. The vulnerability affects any system where calibre is installed and where users may encounter or open untrusted .rb files, creating a broad attack surface across different operating systems and deployment scenarios. The fact that this vulnerability was previously addressed in CVE-2026-26065 for PDB readers but not applied to the RB reader demonstrates a pattern of incomplete security remediation that leaves users exposed to similar attack vectors across different file format parsers within the same software ecosystem.
The security implications of CVE-2026-30853 align with ATT&CK technique T1059.007 for Windows, which involves executing malicious code through application-specific file formats, and T1074.001 for data staging through file system manipulation. Organizations using calibre for e-book management should prioritize immediate patching to version 9.5.0 or later, as this update contains the necessary fixes to prevent malicious file path traversal operations. The mitigation strategy should include implementing strict file format validation, restricting calibre process permissions to minimal required file system access, and establishing user education programs to avoid opening untrusted e-book files. Additionally, network-based security controls such as email filtering and web application firewalls should be configured to prevent the delivery of malicious .rb files through common attack vectors. The vulnerability serves as a reminder of the importance of comprehensive security testing across all input plugins and file format parsers within software applications, particularly in environments where users may process untrusted content.