{"id":"UBUNTU-CVE-2025-64486","details":"calibre is an e-book manager. In versions 8.13.0 and prior, calibre does not validate filenames when handling binary assets in FB2 files, allowing an attacker to write arbitrary files on the filesystem when viewing or converting a malicious FictionBook file. This can be leveraged to achieve arbitrary code execution. This issue is fixed in version 8.14.0.","modified":"2026-01-20T20:08:16.205368Z","published":"2025-11-08T00:15:00Z","upstream":["CVE-2025-64486"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-64486"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2025-64486"},{"type":"REPORT","url":"https://github.com/kovidgoyal/calibre/security/advisories/GHSA-hpwq-c98h-xp8g"},{"type":"REPORT","url":"https://github.com/kovidgoyal/calibre/commit/6f94bce214bf7d43c829804db3741afa5e83c0c5"}],"affected":[{"package":{"name":"calibre","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/calibre@2.55.0+dfsg-1ubuntu0.2?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.33.0+dfsg-1build1","2.38.0+dfsg-1","2.45.0+dfsg-1","2.45.0+dfsg-1build1","2.48.0+dfsg-1","2.48.0+dfsg-1build1","2.54.0+dfsg-1","2.55.0+dfsg-1","2.55.0+dfsg-1ubuntu0.2"],"ecosystem_specific":{"binaries":[{"binary_name":"calibre","binary_version":"2.55.0+dfsg-1ubuntu0.2"},{"binary_name":"calibre-bin","binary_version":"2.55.0+dfsg-1ubuntu0.2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-64486.json"}},{"package":{"name":"calibre","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/calibre@3.21.0+dfsg-1build1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.7.0+dfsg-2","3.7.0+dfsg-2build1","3.12.0+dfsg-1","3.13.0+dfsg-1","3.14.0+dfsg-1","3.15.0.1+dfsg-1","3.16.0+dfsg-1","3.16.0+dfsg-1build1","3.17.0+dfsg-1","3.17.0+dfsg-2","3.18.0+dfsg-1build1","3.19.0+dfsg-1","3.20.0+dfsg-1","3.21.0+dfsg-1","3.21.0+dfsg-1build1"],"ecosystem_specific":{"binaries":[{"binary_name":"calibre","binary_version":"3.21.0+dfsg-1build1"},{"binary_name":"calibre-bin","binary_version":"3.21.0+dfsg-1build1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-64486.json"}},{"package":{"name":"calibre","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/calibre@4.99.4+dfsg+really4.12.0-1ubuntu1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.46.0+dfsg-1","4.2.0+dfsg-2","4.3.0+dfsg-1","4.3.0+dfsg-2","4.4.0+dfsg-1","4.5.0+dfsg-1","4.5.0+dfsg-2","4.5.0+dfsg-3","4.6.0+dfsg-1","4.7.0+dfsg-1","4.99.3+dfsg-2","4.99.4+dfsg-1","4.99.4+dfsg-1build1","4.99.4+dfsg+really4.10.0+py3-2","4.99.4+dfsg+really4.11.2-1","4.99.4+dfsg+really4.11.2-1build1","4.99.4+dfsg+really4.12.0-1","4.99.4+dfsg+really4.12.0-1build1","4.99.4+dfsg+really4.12.0-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"calibre","binary_version":"4.99.4+dfsg+really4.12.0-1ubuntu1"},{"binary_name":"calibre-bin","binary_version":"4.99.4+dfsg+really4.12.0-1ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-64486.json"}},{"package":{"name":"calibre","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/calibre@5.37.0+dfsg-1build1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["5.25.0+dfsg-2","5.33.2+dfsg-1","5.34.0+dfsg-1","5.35.0+dfsg-1ubuntu2","5.37.0+dfsg-1","5.37.0+dfsg-1build1"],"ecosystem_specific":{"binaries":[{"binary_name":"calibre","binary_version":"5.37.0+dfsg-1build1"},{"binary_name":"calibre-bin","binary_version":"5.37.0+dfsg-1build1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-64486.json"}},{"package":{"name":"calibre","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/calibre@7.6.0+ds-1build1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["6.24.0+ds-1","6.29.0+ds-1","7.0.0+ds-1","7.1.0+ds-1","7.1.0+ds-2","7.2.0+ds-1","7.2.0+ds-1build1","7.3.0+ds-1","7.4.0+ds-1","7.5.1+ds-1","7.5.1+ds-2","7.5.1+ds-3","7.6.0+ds-1","7.6.0+ds-1build1"],"ecosystem_specific":{"binaries":[{"binary_name":"calibre","binary_version":"7.6.0+ds-1build1"},{"binary_name":"calibre-bin","binary_version":"7.6.0+ds-1build1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-64486.json"}},{"package":{"name":"calibre","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/calibre@8.8.0+ds-3build1?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["7.26.0+ds-4build1","8.3.0+ds-1","8.4.0+ds-1","8.5.0+ds-1","8.6.0+ds-1","8.7.0+ds-1","8.8.0+ds-2","8.8.0+ds-3","8.8.0+ds-3build1"],"ecosystem_specific":{"binaries":[{"binary_name":"calibre","binary_version":"8.8.0+ds-3build1"},{"binary_name":"calibre-bin","binary_version":"8.8.0+ds-3build1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-64486.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"type":"Ubuntu","score":"medium"}]}