calibre has Server-Side Request Forgery in ebook viewer backend

Description

A vulnerability identified as critical has been detected in kovidgoyal calibre up to 9.5.x. The manipulation leads to server-side request forgery. Remote exploitation of the attack is possible.

Affected Products

Vendor	Product	Versions
kovidgoyal	calibre	< 9.6.0

References

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-33205 | kovidgoyal calibre up to 9.5.x background-image Endpoint server-side request forgery

→ No new info (linked only)

CVSS 3.10.0 CRITICAL

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-918

Published3/27/2026

Last enriched3h agov2

Trending Score49

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Version History

Last enriched 3h ago

v2Tier C3h ago

Updated severity to CRITICAL, added new description, and noted that the vulnerability is actively exploited.

descriptionseveritycvssEstimateactivelyExploitedpatchAvailable

via VulDB

v14h ago

Initial creation