Cross-site Scripting (XSS) - Stored in janeczku/calibre-web


Reported on

Dec 20th 2021


Missing input check on Identifiers lead to stored XSS.

Steps to reproduce

  1. 1. Any book -> Edit metadata -> Identifiers
  2. 2. Set any value to the first field and javascript:alert(document.domain) to the second one.
  3. 3. Save the book, select it, click on Identifier -> XSSed!

Proof of Concept

Video PoC

P.s.: this exploit works in Firefox and Safari, not Chrome.


This vulnerability is capable of stealing cookies, key logging, etc.


Please note that it is possible to use encoding, for instance javascript:alert(1) will work too.

We are processing your report and will contact the janeczku/calibre-web team within 24 hours. a year ago
We have contacted a member of the janeczku/calibre-web team and are waiting to hear back a year ago
We have sent a follow up to the janeczku/calibre-web team. We will try again in 7 days. a year ago
janeczku validated this vulnerability a year ago
Scaramouche has been awarded the disclosure bounty
The fix bounty is now up for grabs
a year ago


Could you please review this report as well?

janeczku marked this as fixed in 0.6.15 with commit 7ad419 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE has been validated
to join this conversation