Vulnerabilities (CVE)

Filtered by vendor Janeczku Subscribe
Filtered by product Calibre-web
Total 24 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-7404 2 Gelbphoenix, Janeczku 2 Autocaliweb, Calibre-web 2026-06-17 N/A 9.8 CRITICAL
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Calibre Web, Autocaliweb allows Blind OS Command Injection.This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.
CVE-2025-65858 1 Janeczku 1 Calibre-web 2026-06-17 N/A 3.5 LOW
A Stored Cross-Site Scripting (XSS) vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed.
CVE-2024-39123 1 Janeczku 1 Calibre-web 2026-06-17 N/A 5.4 MEDIUM
In janeczku Calibre-Web 0.6.0 to 0.6.21, the edit_book_comments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization performed by the clean_string function. The vulnerability arises from the way the clean_string function handles HTML sanitization.
CVE-2023-2106 1 Janeczku 1 Calibre-web 2026-06-17 N/A 9.8 CRITICAL
Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20.
CVE-2022-30765 1 Janeczku 1 Calibre-web 2026-06-17 7.5 HIGH 9.8 CRITICAL
Calibre-Web before 0.6.18 allows user table SQL Injection.
CVE-2022-2525 1 Janeczku 1 Calibre-web 2026-06-17 N/A 9.8 CRITICAL
Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20.
CVE-2022-0990 1 Janeczku 1 Calibre-web 2026-06-17 6.4 MEDIUM 9.1 CRITICAL
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
CVE-2022-0939 1 Janeczku 1 Calibre-web 2026-06-17 7.5 HIGH 9.9 CRITICAL
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
CVE-2022-0767 1 Janeczku 1 Calibre-web 2026-06-17 7.5 HIGH 9.9 CRITICAL
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
CVE-2022-0766 1 Janeczku 1 Calibre-web 2026-06-17 7.5 HIGH 9.8 CRITICAL
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.
CVE-2022-0406 1 Janeczku 1 Calibre-web 2026-06-17 4.0 MEDIUM 4.3 MEDIUM
Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16.
CVE-2022-0405 1 Janeczku 1 Calibre-web 2026-06-17 4.0 MEDIUM 4.3 MEDIUM
Improper Access Control in GitHub repository janeczku/calibre-web prior to 0.6.16.
CVE-2022-0352 1 Janeczku 1 Calibre-web 2026-06-17 4.3 MEDIUM 6.1 MEDIUM
Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16.
CVE-2022-0339 1 Janeczku 1 Calibre-web 2026-06-17 7.5 HIGH 9.8 CRITICAL
Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16.
CVE-2022-0273 1 Janeczku 1 Calibre-web 2026-06-17 4.0 MEDIUM 6.5 MEDIUM
Improper Access Control in Pypi calibreweb prior to 0.6.16.
CVE-2021-4171 1 Janeczku 1 Calibre-web 2026-06-17 7.5 HIGH 9.8 CRITICAL
calibre-web is vulnerable to Business Logic Errors
CVE-2021-4170 1 Janeczku 1 Calibre-web 2026-06-17 3.5 LOW 5.4 MEDIUM
calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-4164 1 Janeczku 1 Calibre-web 2026-06-17 6.8 MEDIUM 8.8 HIGH
calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)
CVE-2021-3988 1 Janeczku 1 Calibre-web 2026-06-17 N/A 6.1 MEDIUM
A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file `edit_books.js`. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization, allowing attackers to execute arbitrary JavaScript code. This can lead to various attacks, including stealing cookies. The issue is present in the code handling the `#btn-upload-cover` change event.
CVE-2021-3987 1 Janeczku 1 Calibre-web 2026-06-17 N/A 4.3 MEDIUM
An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the `create_shelf` method in `shelf.py` not verifying if the user has the necessary permissions to create a public shelf. This issue can lead to unauthorized actions being performed by users.