Upstream Calibre-Web application has unpatched vulnerabilities #1344

New Issue

Closed

opened 2026-02-05 00:25:54 +03:00 by OVERLORD · 3 comments

OVERLORD commented 2026-02-05 00:25:54 +03:00

Owner

Copy Link

Originally created by @vhsdream on GitHub (Jul 25, 2025).

✅ Have you read and understood the above guidelines?

yes

📜 What is the name of the script you are using?

calibre-web

📂 What was the exact command used to execute the script?

bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/calibre-web.sh)"

⚙️ What settings are you using?

• Default Settings
• Advanced Settings

🖥️ Which Linux distribution are you using?

Debian 12

📝 Provide a clear and concise description of the issue.

2 weeks ago a security team attempted to make contact with the Calibre-Web dev and received no response. Today they have published the details of two vulnerabilities in the application, you can read about them here and here.

Since Calibre-Web hasn't had an update in some time, these vulnerabilities remain in the stable release that is used by the Helper Script.

Some info about the vulns:

• the Blind Command Injection vulnerability requires a malicious, authenticated Admin user to set the path to a malicious command or script. The vulnerable function will blindly execute the command, since there is no validation. It's possible to get a reverse shell via this method, but again, this can only be achieved by authenticated admins, so it's mitigated somewhat.
• the reDOS vulnerability allows any unauthenticated attacker to cause a denial of service by sending specially crafted input to the login form. Since this is possible without any authentication, Calibre-Web instances open to the internet are definitely vulnerable to this.

As far as I can tell, these vulns have only been patched in Autocaliweb - a fork of Calibre-Web and Calibre-Web Automated.

🔄 Steps to reproduce the issue.

See description

❌ Paste the full error output (if available).

See description

🖼️ Additional context (optional).

I just wanted to make this issue so that people using Calibre-Web are aware of this. I also want to make clear that the install and update scripts hosted by the Community Scripts org are not the source of the vulnerabilities - it's the upstream Calibre-Web source over which the org has no control.

We might want to consider temporarily removing the Calibre-Web scripts from the repo until there is an update from the Calibre-Web dev.

Originally created by @vhsdream on GitHub (Jul 25, 2025). ### ✅ Have you read and understood the above guidelines? yes ### 📜 What is the name of the script you are using? calibre-web ### 📂 What was the exact command used to execute the script? bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/calibre-web.sh)" ### ⚙️ What settings are you using? - [x] Default Settings - [ ] Advanced Settings ### 🖥️ Which Linux distribution are you using? Debian 12 ### 📝 Provide a clear and concise description of the issue. 2 weeks ago a security team attempted to make contact with the Calibre-Web dev and received [no response](https://github.com/janeczku/calibre-web/issues/3427). Today they have published the details of two vulnerabilities in the application, you can read about them [here](https://fluidattacks.com/advisories/megadeth) and [here](https://fluidattacks.com/advisories/kino). Since Calibre-Web hasn't had an update in some time, these vulnerabilities remain in the stable release that is used by the Helper Script. Some info about the vulns: - the Blind Command Injection vulnerability requires a malicious, authenticated Admin user to set the path to a malicious command or script. The vulnerable function will blindly execute the command, since there is no validation. It's possible to get a reverse shell via this method, but again, this can only be achieved by authenticated admins, so it's mitigated somewhat. - the reDOS vulnerability allows any unauthenticated attacker to cause a denial of service by sending specially crafted input to the login form. Since this is possible without any authentication, Calibre-Web instances open to the internet are definitely vulnerable to this. As far as I can tell, these vulns have only been patched in [Autocaliweb](https://github.com/gelbphoenix/autocaliweb) - a fork of Calibre-Web and Calibre-Web Automated. ### 🔄 Steps to reproduce the issue. See description ### ❌ Paste the full error output (if available). See description ### 🖼️ Additional context (optional). I just wanted to make this issue so that people using Calibre-Web are aware of this. I also want to make clear that the install and update scripts hosted by the Community Scripts org are not the source of the vulnerabilities - it's the upstream Calibre-Web source over which the org has no control. We might want to consider temporarily removing the Calibre-Web scripts from the repo until there is an update from the Calibre-Web dev.

OVERLORD added the not a script issueexternalsecurity labels 2026-02-05 00:25:54 +03:00

OVERLORD closed this issue 2026-02-05 00:25:57 +03:00

OVERLORD commented 2026-02-05 00:26:03 +03:00

Author

Owner

Copy Link

@MickLesk commented on GitHub (Jul 25, 2025):

I don't use calibre, but from your description this looks like a critical CVE.

In my opinion we should remove the json from the website and backup the install script until a new version is released, what do you think?

@MickLesk commented on GitHub (Jul 25, 2025): I don't use calibre, but from your description this looks like a critical CVE. In my opinion we should remove the json from the website and backup the install script until a new version is released, what do you think?

OVERLORD commented 2026-02-05 00:26:05 +03:00

Author

Owner

Copy Link

@vhsdream commented on GitHub (Jul 25, 2025):

Realistically speaking, the worst that could happen is the denial of service. Although it's not outside the realm of possibility that you have people out there who didn't change the default admin password (or have an easily brute-forced one) that have exposed their Calibre-Web to the internet, in which case an attacker could gain root-level access to the LXC. Luckily by default it's unprivileged, but still not a good idea to have any kind of compromise.

I agree with you and think we should pull the script.

@vhsdream commented on GitHub (Jul 25, 2025): Realistically speaking, the worst that could happen is the denial of service. Although it's not outside the realm of possibility that you have people out there who didn't change the default admin password (or have an easily brute-forced one) that have exposed their Calibre-Web to the internet, in which case an attacker could gain root-level access to the LXC. Luckily by default it's unprivileged, but still not a good idea to have any kind of compromise. I agree with you and think we should pull the script.

OVERLORD commented 2026-02-05 00:26:10 +03:00

Author

Owner

Copy Link

@michelroegl-brunner commented on GitHub (Jul 26, 2025):

Removed for now.

@michelroegl-brunner commented on GitHub (Jul 26, 2025): Removed for now.

OVERLORD referenced this issue 2026-02-05 05:23:57 +03:00

[PR #1344] [MERGED] fix: only validate scripts in validate-scripts workflow #2995

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

github-action-update-changelog

pr-update-app-files

docker_deb13

feat/cloudinit-sshkeys

feat/sqlserver2025

automated/update-github-versions

add-script-opencloud-1770212555

add-script-openclaw-1770212634

github-action-archive-changelog

update_apps_tool

add-script-wishlist-1770193085

MickLesk-patch-2

add-script-writefreely-1770188758

add-script-wealthfolio-1770143943

fix/vaultwarden-update-script

remove_memos

disable_npm

feature/codeberg-functions-forgejo-readeck

add-script-rustypaste-1770019426

add-script-kitchenowl-1770017260

fix/2fauth-php-version

tools_func_addcodeberg

CrazyWolf13-patch-2

add-script-shelfmark-1769790178

CrazyWolf13-patch-1

add-script-ampache-1769790139

add-script-languagetool-1769790155

remove_php_deps

ref_koilection

fix/php-module-improvements

tremor021-patch-1

fix/open-archiver-meilisearch-migration

cloudflare_dns

MickLesk-patch-1

michelroegl-brunner-patch-2

fix/version-display

fix/debian13-root-ownership

feat/interactive_prompts

feature/smart-error-recovery

core_stable

update_docs

refactor/tools-func-stability

certbot_npm

2026-02-03

2026-02-02

2026-02-01

2026-01-31

2026-01-30

2026-01-29

2026-01-28

2026-01-27

2026-01-26

2026-01-25

2026-01-24

2026-01-23

2026-01-22

2026-01-21

2026-01-20

2026-01-19

2026-01-18

2026-01-17

2026-01-16

2026-01-15

2026-01-14

2026-01-13

2026-01-12

2026-01-11

2026-01-10

2026-01-09

2026-01-08

2026-01-07

2026-01-06

2026-01-05

2026-01-04

2026-01-03

2026-01-02

2026-01-01

2025-12-31

2025-12-30

2025-12-29

2025-12-28

2025-12-27

2025-12-26

2025-12-25

2025-12-24

2025-12-23

2025-12-22

2025-12-21

2025-12-20

2025-12-19

2025-12-18

2025-12-17

2025-12-16

2025-12-15

2025-12-14

2025-12-13

2025-12-12

2025-12-11

2025-12-10

2025-12-09

2025-12-08

2025-12-07

2025-12-06

2025-12-05

2025-12-04

2025-12-03

2025-12-02

2025-12-01

2025-11-30

2025-11-29

2025-11-28

2025-11-27

2025-11-26

2025-11-25

2025-11-24

2025-11-23

2025-11-22

2025-11-21

2025-11-20

2025-11-19

2025-11-18

2025-11-17

2025-11-16

2025-11-15

2025-11-14

2025-11-13

2025-11-12

2025-11-11

2025-11-10

2025-11-09

2025-11-08

2025-11-07

2025-11-06

2025-11-05

2025-11-04

2025-11-03

2025-11-02

2025-11-01

2025-10-31

2025-10-30

2025-10-29

2025-10-28

2025-10-27

2025-10-26

2025-10-25

2025-10-24

2025-10-23

2025-10-22

2025-10-21

2025-10-20

2025-10-19

2025-10-18

2025-10-17

2025-10-16

2025-10-15

2025-10-14

2025-10-13

2025-10-12

2025-10-11

2025-10-10

2025-10-09

2025-10-08

2025-10-07

2025-10-06

2025-10-05

2025-10-04

2025-10-03

2025-10-02

2025-10-01

2025-09-30

2025-09-29

2025-09-28

2025-09-27

2025-09-26

2025-09-25

2025-09-24

2025-09-23

2025-09-22

2025-09-21

2025-09-20

2025-09-19

2025-09-18

2025-09-17

2025-09-16

2025-09-15

2025-09-14

2025-09-13

2025-09-12

2025-09-11

2025-09-10

2025-09-09

2025-09-08

2025-09-07

2025-09-06

2025-09-05

2025-09-04

2025-09-03

2025-09-02

2025-09-01

2025-08-31

2025-08-30

2025-08-29

2025-08-28

2025-08-27

2025-08-26

2025-08-25

2025-08-24

2025-08-23

2025-08-22

2025-08-21

2025-08-20

2025-08-19

2025-08-18

2025-08-17

2025-08-16

2025-08-15

2025-08-14

2025-08-13

2025-08-12

2025-08-11

2025-08-10

2025-08-09

2025-08-08

2025-08-07

2025-08-06

2025-08-05

2025-08-04

2025-08-03

2025-08-02

2025-08-01

2025-07-31

2025-07-30

2025-07-29

2025-07-28

2025-07-27

2025-07-26

2025-07-25

2025-07-24

2025-07-23

2025-07-22

2025-07-21

2025-07-20

2025-07-19

2025-07-18

2025-07-17

2025-07-16

2025-07-15

2025-07-14

2025-07-11

2025-07-10

2025-07-09

2025-07-08

2025-07-07

2025-07-06

2025-07-05

2025-07-04

2025-07-03

2025-07-02

2025-07-01

2025-06-30

2025-06-29

2025-06-28

2025-06-27

2025-06-26

2025-06-25

2025-06-24

2025-06-23

2025-06-22

2025-06-21

2025-06-20

2025-06-19

2025-06-18

2025-06-17

2025-06-16

2025-06-15

2025-06-14

2025-06-13

2025-06-12

2025-06-11

2025-06-10

2025-06-09

2025-06-08

2025-06-07

2025-06-06

2025-06-05

2025-06-04

2025-06-03

2025-06-02

2025-06-01

2025-05-31

2025-05-30

2025-05-29

2025-05-28

2025-05-27

2025-05-26

2025-05-25

2025-05-24

2025-05-23

2025-05-22

2025-05-21

2025-05-20

2025-05-19

2025-05-18

2025-05-17

2025-05-16

2025-05-15

2025-05-14

2025-05-13

2025-05-12

2025-05-11

2025-05-10

2025-05-09

2025-05-08

2025-05-07

2025-05-06

2025-05-05

2025-05-04

2025-05-03

2025-05-02

2025-05-01

2025-04-30

2025-04-29

2025-04-28

2025-04-27

2025-04-26

2025-04-25

2025-04-24

2025-04-23

2025-04-22

2025-04-20

2025-04-21

2025-04-19

2025-04-18

2025-04-17

2025-04-15

2025-04-16

2025-04-14

2025-04-13

2025-04-12

2025-04-11

2025-04-10

2025-04-09

2025-04-08

2025-04-07

2025-04-06

2025-04-05

2025-04-04

2025-04-03

2025-04-02

2025-04-01

2025-03-31

2025-03-30

2025-03-29

2025-03-28

2025-03-27

2025-03-26

2025-03-25

2025-03-24

2025-03-23

2025-03-22

2025-03-21

2025-03-20

2025-03-19

2025-03-18

2025-03-17

2025-03-16

2025-03-15

2025-03-14

2025-03-13

2025-03-12

2025-03-11

2025-03-10

2025-03-09

2025-03-08

2025-03-07

2025-03-06

2025-03-05

2025-03-04

2025-03-03

2025-03-02

2025-03-01

2025-02-28

2025-02-27

2025-02-26

2025-02-25

2025-02-24

2025-02-23

2025-02-21

2025-02-20

2025-02-19

2025-02-18

2025-02-17

2025-02-16

2025-02-15

2025-02-14

2025-02-13

2025-02-12

2025-02-11

2025-02-10

2025-02-09

2025-02-08

2025-02-07

2025-02-06

2025-02-05

2025-02-04

2025-02-03

2025-02-02

2025-02-01

2025-01-31

2025-01-30

2025-01-29

2025-01-28

2025-01-27

2025-01-26

2025-01-24

2025-01-23

2025-01-22

2025-01-21

2025-01-20

2025-01-19

2025-01-18

2025-01-17

2025-01-16

2025-01-15

2025-01-14

2025-01-13

2025-01-11

2025-01-10

2025-01-09

2025-01-08

2025-01-07

2025-01-06

2025-01-05

2025-01-04

2025-01-03

2025-01-02

2025-01-01

2024-12-31

2024-12-30

2024-12-29

2024-12-28

2024-12-27

2024-12-26

2024-12-25

2024-12-23

2024-12-21

2024-12-20

2024-12-19

2024-12-18

2024-12-17

2024-12-16

2024-12-13

2024-12-12

2024-12-09

2024-12-08

2024-12-07

2024-12-06

2024-12-05

2024-12-04

2024-12-03

2024-12-02

2024-11-30

2024-11-29

2024-11-28

2024-11-27

2024-11-26

2024-11-25

2024-11-24

2024-11-23

Labels

Clear labels

Implemented in VED waiting push to Main

breaking change

bug

bug

bugfix

deferred

delete script

dependencies

enhancement

external

feature

github

help wanted

in project pipeline

invalid

investigation

json

maintenance

needs triage

new script

new script

nice to have

not a script issue

not planned

organization

pull-request

Mirrored from GitHub Pull Request

question

refactor

rename script

security

update script

website

wontdo

🛑 Failure to comply with the guidelines

No Label external not a script issue security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/ProxmoxVE#1344