CVE-2026-25635

HighPublic PoC

Published: 06 February 2026

Published

06 February 2026

Modified

17 February 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0014 33.2th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

calibre is an e-book manager. Prior to 9.2.0, Calibre's CHM reader contains a path traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows (haven't tested on other OS's), this can lead to Remote Code…

Execution by writing a payload to the Startup folder, which executes on next login. This vulnerability is fixed in 9.2.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents path traversal exploitation in Calibre's CHM reader by validating untrusted inputs used for file path construction.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific path traversal flaw fixed in Calibre version 9.2.0 through patching.

SI-3 Malicious Code Protection partial match

preventdetect

Mitigates potential RCE by detecting and blocking malicious payloads written to the Windows Startup folder.

Security SummaryAI

CVE-2026-25635 is a path traversal vulnerability (CWE-22) in the CHM reader component of Calibre, an open-source e-book management application. Versions of Calibre prior to 9.2.0 are affected, enabling attackers to perform arbitrary file writes to any location where the affected user has write permissions.

The vulnerability can be exploited by a local attacker with no privileges required, though it demands user interaction such as opening a malicious CHM file in Calibre. Exploitation allows arbitrary file writes, which on Windows can escalate to code execution by placing a malicious payload in the Startup folder, triggering execution upon the user's next login. The CVSS v3.1 base score is 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with a changed scope.

Calibre addresses this issue in version 9.2.0. Mitigation details are provided in the GitHub security advisory (GHSA-32vh-whvh-9fxr), the fixing commit (9739232fcb029ac15dfe52ccd4fdb4a07ebb6ce9), and an independent analysis at 0x5t.raptx.org/posts/calibre-chm-rce. Users should update to 9.2.0 or later and avoid opening untrusted CHM files.

Details

CWE(s): CWE-22

Affected Products

calibre-ebook

calibre

≤ 9.2.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1547.001 Registry Run Keys / Startup Folder Persistence

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.

attack.mitre.org →

Why these techniques?

The path traversal vulnerability enables exploitation for client execution (T1203) via a malicious CHM file in Calibre, facilitating arbitrary file writes that can achieve persistence by placing payloads in the Startup folder (T1547.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/kovidgoyal/calibre/commit/9739232fcb029ac15dfe52ccd4fdb4a07ebb6ce9
Patch · security-advisories@github.com
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-32vh-whvh-9fxr
Exploit, Third Party Advisory · security-advisories@github.com
https://0x5t.raptx.org/posts/calibre-chm-rce
Exploit, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108