calibreweb
PyPI16 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting calibrewebpage 1 of 1
- CVE-2021-3986MEDIUMCVSS 4.3EG 4.3✓ Fixed in 0.6.152024-11-15
vulnerable: 0.6.12, 0.6.13, 0.6.14
A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message…
- CVE-2021-3987MEDIUMCVSS 4.3EG 4.3✓ Fixed in 0.6.152024-11-15
vulnerable: 0.6.12, 0.6.13, 0.6.14
An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the `create_shelf` method in `shelf.py` not v…
- CVE-2021-3988MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.6.152024-11-15
vulnerable: 0.6.12, 0.6.13, 0.6.14
A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file `edit_books.js`. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly i…
- CVE-2021-4164HIGHCVSS 8.8EG 8.8✓ Fixed in 0.6.152022-01-17
vulnerable: 0.6.12, 0.6.13, 0.6.14
calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-4170MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.6.152022-01-16
vulnerable: 0.6.12, 0.6.13, 0.6.14
calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE-2021-4171CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.6.152022-01-17
vulnerable: 0.6.12, 0.6.13, 0.6.14
calibre-web is vulnerable to Business Logic Errors
- CVE-2022-0273MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.6.162022-01-30
vulnerable: 0.6.12, 0.6.13, 0.6.14, 0.6.15
Improper Access Control in Pypi calibreweb prior to 0.6.16.
- CVE-2022-0339CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.6.162022-01-30
vulnerable: 0.6.12, 0.6.13, 0.6.14, 0.6.15
Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16.
- CVE-2022-0352MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.6.162022-01-28
vulnerable: 0.6.12, 0.6.13, 0.6.14, 0.6.15
Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16.
- CVE-2022-0766CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.6.172022-03-07
vulnerable: 0.6.12, 0.6.13, 0.6.14, 0.6.15, 0.6.16
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
- CVE-2022-0767CRITICALCVSS 9.9EG 9.9✓ Fixed in 0.6.172022-03-07
vulnerable: 0.6.12, 0.6.13, 0.6.14, 0.6.15, 0.6.16
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
- CVE-2022-2525CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.6.202023-04-15
vulnerable: 0.6.12 ... 0.6.19 (8 versions)
Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20.
- CVE-2022-30765CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.6.182022-05-16
vulnerable: 0.6.12 ... 0.6.17 (6 versions)
Calibre-Web before 0.6.18 allows user table SQL Injection.
- CVE-2023-2106CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.6.202023-04-15
vulnerable: 0.6.12 ... 0.6.19 (8 versions)
Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20.
- CVE-2024-39123MEDIUMCVSS 5.4EG 5.42024-07-19
vulnerable: 0.6.12 ... 0.6.21 (10 versions)
In janeczku Calibre-Web 0.6.0 to 0.6.21, the edit_book_comments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization performed by the clean_string function. The vulnerability arises from the way the clean_strin…
- CVE-2025-6998NONECVSS 0.0EG 0.02025-07-24
vulnerable: 0.6.12 ... 0.6.24 (13 versions)
ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracki…
Check whether calibreweb is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for calibreweb CVEs against the assets you own.
Start Free Scan →