Upstream information
Description
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Server allows any authenticated user to inject arbitrary HTTP headers into server responses via an unsanitized `content_disposition` query parameter in the `/get/` and `/data-files/get/` endpoints. All users running the calibre Content Server with authentication enabled are affected. The vulnerability is exploitable by any authenticated user and can also be triggered by tricking an authenticated victim into clicking a crafted link. Version 9.4.0 contains a fix for the issue.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having moderate severity.
| CVSS detail | CNA (GitHub) | National Vulnerability Database |
|---|---|---|
| Base Score | 6.4 | 6.4 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
| Attack Vector | Network | Network |
| Attack Complexity | Low | Low |
| Privileges Required | Low | Low |
| User Interaction | None | None |
| Scope | Changed | Changed |
| Confidentiality Impact | Low | Low |
| Integrity Impact | Low | Low |
| Availability Impact | None | None |
| CVSSv3 Version | 3.1 | 3.1 |
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| openSUSE Tumbleweed |
| Patchnames: openSUSE-Tumbleweed-2026-10587 |
SUSE Timeline for this CVE
CVE page created: Fri Feb 27 22:03:22 2026CVE page last modified: Wed Apr 22 12:56:25 2026