mirror of
https://github.com/community-scripts/ProxmoxVE.git
synced 2026-07-16 05:34:07 +03:00
Upstream Calibre-Web application has unpatched vulnerabilities #1344
Closed
opened 2026-02-05 00:25:54 +03:00 by OVERLORD
·
3 comments
No Branch/Tag Specified
main
github-action-update-changelog
MickLesk-patch-2
add-script-nexterm-1783707056
MickLesk-patch-1
docker_fix
fix/heimdall-php-update-15767
add-script-tor-snowflake-1783689151
add-script-skylite-ux-1783689148
cleanup/tools-func-dead-code
host-backup-migration
feature/firmware-update-fwupd
feature/iommu-setup
pocketbase-sync/seerr
feat/create-backup-rollout
feat/update-recovery-standard
feat/optional-vzdump-after-install
pocketbase-sync/semaphore
pocketbase-sync/grafana
unififix
fix/openobserve-password-policy
pocketbase-sync/authentik
pocketbase-sync/pve-scripts-local
fix/odoo-lxml-html-clean-14780
fix/fireshare-update-frontend-build
fix/fileflows-node-server-address
arm64-port-1
copilot/fix-pnpm-tools-func-install-version-10
2026-07-15
2026-07-14
2026-07-13
2026-07-12
2026-07-11
2026-07-10
2026-07-09
2026-07-08
2026-07-07
2026-07-06
2026-07-05
2026-07-04
2026-07-03
2026-07-02
2026-07-01
2026-06-30
2026-06-29
2026-06-28
2026-06-27
2026-06-26
2026-06-25
2026-06-24
2026-06-23
2026-06-22
2026-06-21
2026-06-20
2026-06-19
2026-06-18
2026-06-17
2026-06-16
2026-06-15
2026-06-14
2026-06-13
2026-06-12
2026-06-11
2026-06-10
2026-06-09
2026-06-08
2026-06-07
2026-06-06
2026-06-05
2026-06-04
2026-06-03
2026-06-02
2026-06-01
2026-05-31
2026-05-30
2026-05-29
2026-05-28
2026-05-27
2026-05-26
2026-05-25
2026-05-24
2026-05-23
2026-05-22
2026-05-21
2026-05-20
2026-05-19
2026-05-18
2026-05-17
2026-05-16
2026-05-15
2026-05-14
2026-05-13
2026-05-12
2026-05-11
2026-05-10
2026-05-09
2026-05-08
2026-05-07
2026-05-06
2026-05-05
2026-05-04
2026-05-03
2026-05-02
2026-05-01
2026-04-30
2026-04-29
2026-04-28
2026-04-27
2026-04-26
2026-04-25
2026-04-24
2026-04-23
2026-04-22
2026-04-21
2026-04-20
2026-04-19
2026-04-18
2026-04-17
2026-04-16
2026-04-15
2026-04-14
2026-04-13
2026-04-12
2026-04-11
2026-04-10
2026-04-09
2026-04-08
2026-04-07
2026-04-06
2026-04-05
2026-04-04
2026-04-03
2026-04-02
2026-04-01
2026-03-31
2026-03-30
2026-03-29
2026-03-28
2026-03-27
2026-03-26
2026-03-25
2026-03-24
2026-03-23
2026-03-22
2026-03-21
2026-03-20
2026-03-19
2026-03-18
2026-03-17
2026-03-16
2026-03-15
2026-03-14
2026-03-13
2026-03-12
2026-03-11
2026-03-10
2026-03-09
2026-03-08
2026-03-07
2026-03-06
2026-03-05
2026-03-04
2026-03-03
2026-03-02
2026-03-01
2026-02-28
2026-02-27
2026-02-26
2026-02-25
2026-02-24
2026-02-23
2026-02-22
2026-02-21
2026-02-20
2026-02-19
2026-02-18
2026-02-17
2026-02-16
2026-02-15
2026-02-14
2026-02-13
2026-02-12
2026-02-11
2026-02-10
2026-02-09
2026-02-08
2026-02-07
2026-02-06
2026-02-05
2026-02-04
2026-02-03
2026-02-02
2026-02-01
2026-01-31
2026-01-30
2026-01-29
2026-01-28
2026-01-27
2026-01-26
2026-01-25
2026-01-24
2026-01-23
2026-01-22
2026-01-21
2026-01-20
2026-01-19
2026-01-18
2026-01-17
2026-01-16
2026-01-15
2026-01-14
2026-01-13
2026-01-12
2026-01-11
2026-01-10
2026-01-09
2026-01-08
2026-01-07
2026-01-06
2026-01-05
2026-01-04
2026-01-03
2026-01-02
2026-01-01
2025-12-31
2025-12-30
2025-12-29
2025-12-28
2025-12-27
2025-12-26
2025-12-25
2025-12-24
2025-12-23
2025-12-22
2025-12-21
2025-12-20
2025-12-19
2025-12-18
2025-12-17
2025-12-16
2025-12-15
2025-12-14
2025-12-13
2025-12-12
2025-12-11
2025-12-10
2025-12-09
2025-12-08
2025-12-07
2025-12-06
2025-12-05
2025-12-04
2025-12-03
2025-12-02
2025-12-01
2025-11-30
2025-11-29
2025-11-28
2025-11-27
2025-11-26
2025-11-25
2025-11-24
2025-11-23
2025-11-22
2025-11-21
2025-11-20
2025-11-19
2025-11-18
2025-11-17
2025-11-16
2025-11-15
2025-11-14
2025-11-13
2025-11-12
2025-11-11
2025-11-10
2025-11-09
2025-11-08
2025-11-07
2025-11-06
2025-11-05
2025-11-04
2025-11-03
2025-11-02
2025-11-01
2025-10-31
2025-10-30
2025-10-29
2025-10-28
2025-10-27
2025-10-26
2025-10-25
2025-10-24
2025-10-23
2025-10-22
2025-10-21
2025-10-20
2025-10-19
2025-10-18
2025-10-17
2025-10-16
2025-10-15
2025-10-14
2025-10-13
2025-10-12
2025-10-11
2025-10-10
2025-10-09
2025-10-08
2025-10-07
2025-10-06
2025-10-05
2025-10-04
2025-10-03
2025-10-02
2025-10-01
2025-09-30
2025-09-29
2025-09-28
2025-09-27
2025-09-26
2025-09-25
2025-09-24
2025-09-23
2025-09-22
2025-09-21
2025-09-20
2025-09-19
2025-09-18
2025-09-17
2025-09-16
2025-09-15
2025-09-14
2025-09-13
2025-09-12
2025-09-11
2025-09-10
2025-09-09
2025-09-08
2025-09-07
2025-09-06
2025-09-05
2025-09-04
2025-09-03
2025-09-02
2025-09-01
2025-08-31
2025-08-30
2025-08-29
2025-08-28
2025-08-27
2025-08-26
2025-08-25
2025-08-24
2025-08-23
2025-08-22
2025-08-21
2025-08-20
2025-08-19
2025-08-18
2025-08-17
2025-08-16
2025-08-15
2025-08-14
2025-08-13
2025-08-12
2025-08-11
2025-08-10
2025-08-09
2025-08-08
2025-08-07
2025-08-06
2025-08-05
2025-08-04
2025-08-03
2025-08-02
2025-08-01
2025-07-31
2025-07-30
2025-07-29
2025-07-28
2025-07-27
2025-07-26
2025-07-25
2025-07-24
2025-07-23
2025-07-22
2025-07-21
2025-07-20
2025-07-19
2025-07-18
2025-07-17
2025-07-16
2025-07-15
2025-07-14
2025-07-11
2025-07-10
2025-07-09
2025-07-08
2025-07-07
2025-07-06
2025-07-05
2025-07-04
2025-07-03
2025-07-02
2025-07-01
2025-06-30
2025-06-29
2025-06-28
2025-06-27
2025-06-26
2025-06-25
2025-06-24
2025-06-23
2025-06-22
2025-06-21
2025-06-20
2025-06-19
2025-06-18
2025-06-17
2025-06-16
2025-06-15
2025-06-14
2025-06-13
2025-06-12
2025-06-11
2025-06-10
2025-06-09
2025-06-08
2025-06-07
2025-06-06
2025-06-05
2025-06-04
2025-06-03
2025-06-02
2025-06-01
2025-05-31
2025-05-30
2025-05-29
2025-05-28
2025-05-27
2025-05-26
2025-05-25
2025-05-24
2025-05-23
2025-05-22
2025-05-21
2025-05-20
2025-05-19
2025-05-18
2025-05-17
2025-05-16
2025-05-15
2025-05-14
2025-05-13
2025-05-12
2025-05-11
2025-05-10
2025-05-09
2025-05-08
2025-05-07
2025-05-06
2025-05-05
2025-05-04
2025-05-03
2025-05-02
2025-05-01
2025-04-30
2025-04-29
2025-04-28
2025-04-27
2025-04-26
2025-04-25
2025-04-24
2025-04-23
2025-04-22
2025-04-20
2025-04-21
2025-04-19
2025-04-18
2025-04-17
2025-04-15
2025-04-16
2025-04-14
2025-04-13
2025-04-12
2025-04-11
2025-04-10
2025-04-09
2025-04-08
2025-04-07
2025-04-06
2025-04-05
2025-04-04
2025-04-03
2025-04-02
2025-04-01
2025-03-31
2025-03-30
2025-03-29
2025-03-28
2025-03-27
2025-03-26
2025-03-25
2025-03-24
2025-03-23
2025-03-22
2025-03-21
2025-03-20
2025-03-19
2025-03-18
2025-03-17
2025-03-16
2025-03-15
2025-03-14
2025-03-13
2025-03-12
2025-03-11
2025-03-10
2025-03-09
2025-03-08
2025-03-07
2025-03-06
2025-03-05
2025-03-04
2025-03-03
2025-03-02
2025-03-01
2025-02-28
2025-02-27
2025-02-26
2025-02-25
2025-02-24
2025-02-23
2025-02-21
2025-02-20
2025-02-19
2025-02-18
2025-02-17
2025-02-16
2025-02-15
2025-02-14
2025-02-13
2025-02-12
2025-02-11
2025-02-10
2025-02-09
2025-02-08
2025-02-07
2025-02-06
2025-02-05
2025-02-04
2025-02-03
2025-02-02
2025-02-01
2025-01-31
2025-01-30
2025-01-29
2025-01-28
2025-01-27
2025-01-26
2025-01-24
2025-01-23
2025-01-22
2025-01-21
2025-01-20
2025-01-19
2025-01-18
2025-01-17
2025-01-16
2025-01-15
2025-01-14
2025-01-13
2025-01-11
2025-01-10
2025-01-09
2025-01-08
2025-01-07
2025-01-06
2025-01-05
2025-01-04
2025-01-03
2025-01-02
2025-01-01
2024-12-31
2024-12-30
2024-12-29
2024-12-28
2024-12-27
2024-12-26
2024-12-25
2024-12-23
2024-12-21
2024-12-20
2024-12-19
2024-12-18
2024-12-17
2024-12-16
2024-12-13
2024-12-12
2024-12-09
2024-12-08
2024-12-07
2024-12-06
2024-12-05
2024-12-04
2024-12-03
2024-12-02
2024-11-30
2024-11-29
2024-11-28
2024-11-27
2024-11-26
2024-11-25
2024-11-24
2024-11-23
Labels
Clear labels
Implemented in VED waiting push to Main
breaking change
bug
bug
bugfix
deferred
delete script
dependencies
enhancement
external
feature
github
help wanted
in project pipeline
invalid
investigation
json
maintenance
needs triage
new script
new script
nice to have
not a script issue
not planned
organization
pull-request
question
refactor
rename script
security
update script
website
wontdo
🛑 Failure to comply with the guidelines
Mirrored from GitHub Pull Request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: starred/ProxmoxVE#1344
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @vhsdream on GitHub (Jul 25, 2025).
✅ Have you read and understood the above guidelines?
yes
📜 What is the name of the script you are using?
calibre-web
📂 What was the exact command used to execute the script?
bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/calibre-web.sh)"
⚙️ What settings are you using?
🖥️ Which Linux distribution are you using?
Debian 12
📝 Provide a clear and concise description of the issue.
2 weeks ago a security team attempted to make contact with the Calibre-Web dev and received no response. Today they have published the details of two vulnerabilities in the application, you can read about them here and here.
Since Calibre-Web hasn't had an update in some time, these vulnerabilities remain in the stable release that is used by the Helper Script.
Some info about the vulns:
As far as I can tell, these vulns have only been patched in Autocaliweb - a fork of Calibre-Web and Calibre-Web Automated.
🔄 Steps to reproduce the issue.
See description
❌ Paste the full error output (if available).
See description
🖼️ Additional context (optional).
I just wanted to make this issue so that people using Calibre-Web are aware of this. I also want to make clear that the install and update scripts hosted by the Community Scripts org are not the source of the vulnerabilities - it's the upstream Calibre-Web source over which the org has no control.
We might want to consider temporarily removing the Calibre-Web scripts from the repo until there is an update from the Calibre-Web dev.
@MickLesk commented on GitHub (Jul 25, 2025):
I don't use calibre, but from your description this looks like a critical CVE.
In my opinion we should remove the json from the website and backup the install script until a new version is released, what do you think?
@vhsdream commented on GitHub (Jul 25, 2025):
Realistically speaking, the worst that could happen is the denial of service. Although it's not outside the realm of possibility that you have people out there who didn't change the default admin password (or have an easily brute-forced one) that have exposed their Calibre-Web to the internet, in which case an attacker could gain root-level access to the LXC. Luckily by default it's unprivileged, but still not a good idea to have any kind of compromise.
I agree with you and think we should pull the script.
@michelroegl-brunner commented on GitHub (Jul 26, 2025):
Removed for now.