Vulnerability: HTTP Response Header Injection Package: calibre Affected Versions: <= 9.3.1 Patched Versions: 9.4.0 Severity: Moderate (6.4/10) CVSS v3 Base Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Changed - Confidentiality: Low - Integrity: Low - Availability: None CVE ID: CVE-2026-27810 Weaknesses: CWE-113 (HTTP Response Splitting/HTTP Response Smuggling) Credit: Mistz1 (Reporter) Description Summary: An HTTP Response Header Injection vulnerability in the calibre Content Server allows any authenticated user to inject arbitrary HTTP headers into server responses via an unsanitized query parameter in the and endpoints. Details: - The function in reads the query parameter directly from the request URL and embeds it into the HTTP response header without any validation or sanitization. - The function also has the same issue. - Injected in the value splits the HTTP header line, allowing the attacker to inject entirely new response headers. Prerequisites for PoC: - A running calibre Content Server with authentication enabled. - At least one book in the library. - Valid user credentials. Impact: - An authenticated attacker can inject arbitrary HTTP response headers, enabling Cross-Site Scripting (XSS), Session Fixation, and Cache Poisoning. - All users running the calibre Content Server with authentication enabled are affected. Suggested Fix: Validate against an allowlist of permitted values.