PatchSiren cyber security CVE debrief
CVE-2026-53511 kovidgoyal CVE debrief
The calibre e-book manager, prior to version 9.10.0, contains a vulnerability that allows for arbitrary Python code execution. This is achieved through a malicious EPUB, OPF, or PDF file that embeds a custom column definition with a python: template in calibre:user_metadata. When the metadata of such a file is read by calibre, including through the 'Add books' or 'Edit books' features, the embedded template is passed unsanitized to exec() in the template formatter, leading to code execution. This issue has been addressed with the release of version 9.10.0.
- Vendor
- kovidgoyal
- Product
- calibre
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Users of calibre e-book manager, especially those who handle EPUB, OPF, or PDF files from untrusted sources, should be aware of this vulnerability. System administrators and individuals responsible for managing e-book collections or ensuring the security of e-book processing workflows are particularly advised to take action.
Technical summary
CVE-2026-53511 is a vulnerability in calibre, an e-book manager, that allows for arbitrary Python code execution. The vulnerability arises from the improper sanitization of custom column definitions in calibre:user_metadata when reading metadata from EPUB, OPF, or PDF files. An attacker can exploit this by crafting a malicious file that, when processed by calibre, executes arbitrary Python code. This vulnerability has been fixed in calibre version 9.10.0.
Defensive priority
High
Recommended defensive actions
- Update calibre to version 9.10.0 or later
- Avoid opening EPUB, OPF, or PDF files from untrusted sources in calibre until updated
- Monitor for suspicious activity in calibre after updating
- Perform a thorough review of existing e-book collections for potential exposure
- Implement additional monitoring for systems where calibre is used to process e-book files
- Verify that all calibre installations are updated and that no older versions are in use
- Track and document the review process for e-book files from untrusted sources
Evidence notes
The CVE record and NVD detail provide information on the vulnerability. The fix is available in calibre version 9.10.0. Due to the nature of the vulnerability, users should be cautious with files from untrusted sources.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T21:17:26.380Z and has not been modified since then.