janeczku/calibre-web

GitHub

github.com

Releases26

Frequency3 months 1 week

Last Release 4 months ago

Stars17.3K

:books: Web app for browsing, reading and downloading eBooks stored in a Calibre database

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-7404 ↗	Jul 24, 2025Thursday, 24 July 2025, 21:15	9.8 CRITICAL	—
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Calibre Web, Autocaliweb allows Blind OS Command Injection.This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.
CVE-2025-6998 ↗	Jul 24, 2025Thursday, 24 July 2025, 20:15	—	—
ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.
CVE-2021-3986 ↗	Nov 15, 2024Friday, 15 November 2024, 11:15	4.3 MEDIUM	—
A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book from a shelf they do not own. This vulnerability discloses private information and affects all versions prior to the fix.
CVE-2021-3987 ↗	Nov 15, 2024Friday, 15 November 2024, 11:15	4.3 MEDIUM	—
An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the `create_shelf` method in `shelf.py` not verifying if the user has the necessary permissions to create a public shelf. This issue can lead to unauthorized actions being performed by users.
CVE-2021-3988 ↗	Nov 15, 2024Friday, 15 November 2024, 11:15	6.1 MEDIUM	—
A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file `edit_books.js`. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization, allowing attackers to execute arbitrary JavaScript code. This can lead to various attacks, including stealing cookies. The issue is present in the code handling the `#btn-upload-cover` change event.
CVE-2023-2106 ↗	Apr 15, 2023Saturday, 15 April 2023, 14:15	9.8 CRITICAL	—
Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20.
CVE-2022-2525 ↗	Apr 15, 2023Saturday, 15 April 2023, 13:15	9.8 CRITICAL	—
Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20.
CVE-2022-30765 ↗	May 16, 2022Monday, 16 May 2022, 02:15	9.8 CRITICAL	7.5 HIGH
Calibre-Web before 0.6.18 allows user table SQL Injection.
CVE-2022-0990 ↗	Apr 4, 2022Monday, 4 April 2022, 18:15	9.1 CRITICAL	6.4 MEDIUM
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
CVE-2022-0939 ↗	Apr 4, 2022Monday, 4 April 2022, 10:15	9.9 CRITICAL	7.5 HIGH
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
CVE-2022-0405 ↗	Apr 3, 2022Sunday, 3 April 2022, 19:15	4.3 MEDIUM	4 MEDIUM
Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16.
CVE-2022-0406 ↗	Apr 3, 2022Sunday, 3 April 2022, 19:15	4.3 MEDIUM	4 MEDIUM
Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16.
CVE-2022-0767 ↗	Mar 7, 2022Monday, 7 March 2022, 07:15	9.9 CRITICAL	7.5 HIGH
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
CVE-2022-0766 ↗	Mar 7, 2022Monday, 7 March 2022, 07:15	9.8 CRITICAL	7.5 HIGH
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
CVE-2022-0339 ↗	Jan 30, 2022Sunday, 30 January 2022, 14:15	9.8 CRITICAL	7.5 HIGH
Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16.
CVE-2022-0273 ↗	Jan 30, 2022Sunday, 30 January 2022, 14:15	6.5 MEDIUM	4 MEDIUM
Improper Access Control in Pypi calibreweb prior to 0.6.16.
CVE-2022-0352 ↗	Jan 28, 2022Friday, 28 January 2022, 22:15	6.1 MEDIUM	4.3 MEDIUM
Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16.
CVE-2021-4164 ↗	Jan 17, 2022Monday, 17 January 2022, 13:15	8.8 HIGH	6.8 MEDIUM
calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)
CVE-2021-4171 ↗	Jan 17, 2022Monday, 17 January 2022, 10:15	9.8 CRITICAL	7.5 HIGH
calibre-web is vulnerable to Business Logic Errors
CVE-2021-4170 ↗	Jan 16, 2022Sunday, 16 January 2022, 21:15	5.4 MEDIUM	3.5 LOW
calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25965 ↗	Nov 16, 2021Tuesday, 16 November 2021, 10:15	8.8 HIGH	6.8 MEDIUM
In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application.
CVE-2021-25964 ↗	Oct 4, 2021Monday, 4 October 2021, 15:15	5.4 MEDIUM	3.5 LOW
In “Calibre-web” application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in “Metadata”. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered.
CVE-2020-12627 ↗	May 4, 2020Monday, 4 May 2020, 03:15	9.8 CRITICAL	7.5 HIGH
Calibre-Web 0.6.6 allows authentication bypass because of the 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT' hardcoded secret key.