Cross-Site Request Forgery (CSRF) in janeczku/calibre-web


Reported on

Sep 19th 2021


Hi team :), the /shelf/remove/id and /shelf/add/id is vulnerable against CSRFleading to the possibility to add and remove shelves' items on the behalf of the victim user.

Proof of Concept

  1. Install the application
  2. Create a new shelf (id == 1 in this case)
  3. The attacker sends the following GET CSRF form to the victim:
<img src="">
  1. The item will be removed

Similar attack possible for the following endpoint:


This vulnerability is capable of adding and removing shelves on the behalf of a victim without its cognizance

We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 2 years ago
janeczku validated this vulnerability 2 years ago
mik317 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Michele Romano
2 years ago


Thanks a lot :)

Cheers, Mik

janeczku marked this as fixed in 0.6.16 with commit de1bc3 4 months ago
The fix bounty has been dropped
This vulnerability has now been published 4 months ago
to join this conversation