CVE-2020-12627

Calibre-Web 0.6.6 allows authentication bypass because of the 'A0Zr98j/3yX RXHH!jmNLWX/,?RT' hardcoded secret key...

CVE-2024-39123

In janeczku Calibre-Web 0.6.0 to 0.6.21, the editbookcomments function is vulnerable to Cross Site Scripting XSS due to improper sanitization performed by the cleanstring function. The vulnerability arises from the way the cleanstring function handles HTML sanitization...

CVE-2022-0766

Server-Side Request Forgery SSRF in GitHub repository janeczku/calibre-web prior to 0.6.17...

CVE-2025-65858

A Stored Cross-Site Scripting XSS vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed...

EUVD-2021-12804

Malware in sbrugna...

EUVD-2024-3306

Malicious code in bioql PyPI...

EUVD-2024-3282

Malicious code in bioql PyPI...

CVE-2025-7404

Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability in Calibre Web, Autocaliweb allows Blind OS Command Injection.This issue affects Calibre Web: 0.6.24 Nicolette; Autocaliweb: from 0.7.0 before 0.7.1...

CVE-2025-7404

CVE-2025-7404 concerns Calibre Web (and Autocaliweb) with a blind OS command injection due to improper neutralization of input in OS commands. Affected: Calibre Web 0.6.24; Autocaliweb 0.7.0–before 0.7.1. Root cause: insufficient sanitization of user input enabling remote command execution via th...

CVE-2025-7404 Calibre Web 0.6.24 & Autocaliweb 0.7.0 - Blind C

Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability in Calibre Web, Autocaliweb allows Blind OS Command Injection.This issue affects Calibre Web: 0.6.24 Nicolette; Autocaliweb: from 0.7.0 before 0.7.1...

PT-2025-30695 · Unknown · Autocaliweb +1

Name of the Vulnerable Software and Affected Versions: Calibre Web version 0.6.24 Nicolette Autocaliweb version 0.7.0 Description: A Regular Expression Denial of Service ReDoS issue exists in the strip whitespaces function within cps/string helper.py. Unauthenticated remote attackers can exploit...

CVE-2022-30765

Calibre-Web before 0.6.18 allows user table SQL Injection...

CVE-2021-3987

An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the createshelf method in shelf.py not verifying if the user has the necessary permissions to create a...

CVE-2021-4170

calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting'...

CVE-2021-4171

calibre-web is vulnerable to Business Logic Errors...

CVE-2022-0939

Server-Side Request Forgery SSRF in GitHub repository janeczku/calibre-web prior to 0.6.18...

CVE-2024-39123

In janeczku Calibre-Web 0.6.0 to 0.6.21, the editbookcomments function is vulnerable to Cross Site Scripting XSS due to improper sanitization performed by the cleanstring function. The vulnerability arises from the way the cleanstring function handles HTML sanitization...

calibre-web is vulnerable to Business Logic Errors

calibre-web is vulnerable to Business Logic Errors...

GHSA-XP7P-3GX7-J6WX calibre-web is vulnerable to Business Logic Errors

calibre-web is vulnerable to Business Logic Errors...

CVE-2021-25965 Calibre-web - Admin Account Takeover via Cross-Site Request Forgery (CSRF)

In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery CSRF. By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application...