Total
24 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-7404 | 2 Gelbphoenix, Janeczku | 2 Autocaliweb, Calibre-web | 2026-01-16 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Calibre Web, Autocaliweb allows Blind OS Command Injection.This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1. | |||||
| CVE-2025-65858 | 1 Janeczku | 1 Calibre-web | 2025-12-23 | N/A | 3.5 LOW |
| A Stored Cross-Site Scripting (XSS) vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed. | |||||
| CVE-2024-39123 | 1 Janeczku | 1 Calibre-web | 2025-07-09 | N/A | 5.4 MEDIUM |
| In janeczku Calibre-Web 0.6.0 to 0.6.21, the edit_book_comments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization performed by the clean_string function. The vulnerability arises from the way the clean_string function handles HTML sanitization. | |||||
| CVE-2023-2106 | 1 Janeczku | 1 Calibre-web | 2025-02-06 | N/A | 9.8 CRITICAL |
| Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20. | |||||
| CVE-2022-2525 | 1 Janeczku | 1 Calibre-web | 2025-02-06 | N/A | 9.8 CRITICAL |
| Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20. | |||||
| CVE-2022-30765 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Calibre-Web before 0.6.18 allows user table SQL Injection. | |||||
| CVE-2022-0990 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18. | |||||
| CVE-2022-0939 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 7.5 HIGH | 9.9 CRITICAL |
| Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18. | |||||
| CVE-2022-0767 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 7.5 HIGH | 9.9 CRITICAL |
| Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17. | |||||
| CVE-2022-0766 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17. | |||||
| CVE-2022-0406 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16. | |||||
| CVE-2022-0405 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16. | |||||
| CVE-2022-0352 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16. | |||||
| CVE-2022-0339 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16. | |||||
| CVE-2022-0273 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper Access Control in Pypi calibreweb prior to 0.6.16. | |||||
| CVE-2021-4171 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| calibre-web is vulnerable to Business Logic Errors | |||||
| CVE-2021-4170 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-4164 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| calibre-web is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-25965 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application. | |||||
| CVE-2021-25964 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In “Calibre-web” application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in “Metadata”. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered. | |||||