CVE-2025-7404: Calibre Web and Autocaliweb have OS Command Injection vulnerability

July 24, 2025 (updated July 25, 2025)

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in Calibre Web, Autocaliweb allows Blind OS Command Injection. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.

References

fluidattacks.com/advisories/kino
github.com/advisories/GHSA-qc4j-v7h6-xr5h
github.com/gelbphoenix/autocaliweb
github.com/janeczku/calibre-web
nvd.nist.gov/vuln/detail/CVE-2025-7404

Code Behaviors & Features

Detect and mitigate CVE-2025-7404 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →