CVE-2025-7404 – calibreweb

Package

Manager: pip
Name: calibreweb
Vulnerable Version: >=0 <=0.6.24

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00096 pctl0.27503

Details

Calibre Web and Autocaliweb have OS Command Injection vulnerability Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Calibre Web, Autocaliweb allows Blind OS Command Injection. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.

Metadata

Created: 2025-07-24T21:30:39Z
Modified: 2025-07-25T20:19:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-qc4j-v7h6-xr5h/GHSA-qc4j-v7h6-xr5h.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-qc4j-v7h6-xr5h
Finding: F404
Auto approve: 1