calibreweb 0.6.26 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the calibreweb package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `username` field during user creation. An attacker can execute arbitrary JavaScript code in the context of another user's browser by injecting a malicious payload, which is then stored and triggered when the `/ajax/listusers` endpoint is accessed. How to fix Cross-site Scripting (XSS)? There is no fixed version for `calibreweb`.	[0,)
M Command Injection calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Command Injection via the `/admin/ajaxconfig` endpoint that fails to properly neutralise special elements used in operating system commands. An attacker with administrator user access can execute commands such as `/sbin/reboot` to force a system restart or launch /bin/bash in interactive mode if the process is connected to a terminal. How to fix Command Injection? There is no fixed version for `calibreweb`.	[0,)
M Regular Expression Denial of Service (ReDoS) calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `strip_whitespaces` function in `cps/string_helper.py` file. An attacker can cause the application to become unresponsive by submitting a specially crafted `username` parameter during the login process, which triggers excessive backtracking in the regular expression engine. How to fix Regular Expression Denial of Service (ReDoS)? There is no fixed version for `calibreweb`.	[0,)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the username field during user creation. An attacker can execute arbitrary JavaScript code in the context of another user's browser by injecting a malicious payload, which is then stored and triggered when the /ajax/listusers endpoint is accessed.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for calibreweb.

[0,)

Command Injection

calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database.

Affected versions of this package are vulnerable to Command Injection via the /admin/ajaxconfig endpoint that fails to properly neutralise special elements used in operating system commands. An attacker with administrator user access can execute commands such as /sbin/reboot to force a system restart or launch /bin/bash in interactive mode if the process is connected to a terminal.

How to fix Command Injection?

There is no fixed version for calibreweb.

[0,)

Regular Expression Denial of Service (ReDoS)

calibreweb is a Web app for browsing, reading and downloading eBooks stored in a Calibre database.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the strip_whitespaces function in cps/string_helper.py file. An attacker can cause the application to become unresponsive by submitting a specially crafted username parameter during the login process, which triggers excessive backtracking in the regular expression engine.

How to fix Regular Expression Denial of Service (ReDoS)?

There is no fixed version for calibreweb.

[0,)

calibreweb@0.6.26 vulnerabilities

Web app for browsing, reading and downloading eBooks stored in a Calibre database.

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically