QwikSec

Security Database

CVE

CWE

Training

CVE-2025-64486

Published: Nov 7, 2025

Modified: Nov 13, 2025

PUBLISHED

Description

calibre is an e-book manager. In versions 8.13.0 and prior, calibre does not validate filenames when handling binary assets in FB2 files, allowing an attacker to write arbitrary files on the filesystem when viewing or converting a malicious FictionBook file. This can be leveraged to achieve arbitrary code execution. This issue is fixed in version 8.14.0.

Vendor	Product	Versions
kovidgoyal	calibre	affected `< 8.14.0`

Weaknesses (CWE)

References

https://github.com/kovidgoyal/calibre/security/advisories/GHSA-hpwq-c98h-xp8g

x_refsource_CONFIRM

https://github.com/kovidgoyal/calibre/commit/6f94bce214bf7d43c829804db3741afa5e83c0c5

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.