calibre has Server-Side Request Forgery in ebook viewer backend

Description

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.

Affected Products

Vendor	Product	Versions
kovidgoyal	calibre	< 9.6.0

References

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB6h ago

CVE-2026-33205 | kovidgoyal calibre up to 9.5.x background-image Endpoint server-side request forgery

→ No new info (linked only)

CVSS 3.10.0 NONE

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-918

Published3/27/2026

Last enriched5h agov2

Trending Score49

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Version History

Last enriched 5h ago

v2Tier C5h ago

Updated severity to CRITICAL, added new description, and noted that the vulnerability is actively exploited.

descriptionseveritycvssEstimateactivelyExploitedpatchAvailable

via VulDB

v16h ago

Initial creation