A deep-dive reverse engineering analysis of Calibre-Web v0.6.26 for Windows — verified against the official GitHub release, with full source code audit and security assessment.DisclaimerThis article i
A deep-dive reverse engineering analysis of Calibre-Web v0.6.26 for Windows — verified against the official GitHub release, with full source code audit and security assessment.
This article is a technical analysis conducted for educational and research purposes. The software was examined in a controlled environment. The goal is to provide transparency to the community and help users make informed decisions about the software they install. No copyrighted code is reproduced. No endorsement or condemnation of the software is intended.
If you manage an eBook library, you've probably heard of Calibre-Web. It's a free, open-source web application that lets you browse, read, and download eBooks from your Calibre library through any browser — complete with OPDS support for e-readers, Kobo sync, and a built-in EPUB reader.
But here's the question that prompted this analysis: Is the official Windows installer safe?
Unlike the source code (which anyone can inspect on GitHub), the pre-built Windows .exe installer is a black box. It's unsigned. It bundles its own Python runtime and dozens of third-party packages. For security-conscious users — especially those running it on a server or primary machine — that's a legitimate concern.
We decided to find out exactly what's inside.
Property | Value |
|---|---|
File |
|
Size | 46.79 MB |
Claimed Version | Calibre-Web v0.6.26 ("Ismara") |
Published | February 8, 2026 |
Downloaded From | Official GitHub release (1,347 downloads at time of analysis) |
Sources |
The executable immediately identified itself as an Inno Setup v6.6.1 installer — a legitimate, well-known Windows installer framework written in Delphi. The PE metadata confirmed:
Product Name: Calibre-Web Team
File Description: Calibre-Web Setup
Compiler: Embarcadero Delphi 36.0 (standard Inno Setup toolchain)
Digital Signature: Unsigned
The lack of a digital signature raised an eyebrow, but it's consistent with the Calibre-Web project's practices — the maintainer doesn't pay for code signing certificates for a free open-source project.
Before diving deeper, we verified the file against the official GitHub release. The SHA256 hash confirmed it's the exact same file published by maintainer OzzieIsaacs on the official v0.6.26 release page:
Algorithm | Hash |
|---|---|
SHA256 |
|
MD5 |
|
SHA1 |
|
This is the real deal. No tampering, no supply-chain attack.
Before executing the installer, we performed a thorough static analysis on the binary itself.
The installer has two parts:
Section | Offset | Size |
|---|---|---|
EXE Stub (Delphi runtime) | Beginning — 732 KB | 716 KB |
Setup Data (LZMA1 compressed) | 732 KB — 46.79 MB | 46.09 MB |
The executable stub is 716 KB of standard Delphi code — no suspicious modifications to the Inno Setup loader. The remaining 98.5% of the file is LZMA1-compressed setup data containing the actual Calibre-Web application.
We scanned every byte of the file for URLs, IP addresses, and domain names. Only one URL was found:
http://schemas.microsoft.com/SMI/2005/WindowsSettings
This is a standard Windows compatibility manifest entry, embedded in every Inno Setup installer. No C2 servers, no telemetry endpoints, no phone-home domains.
We searched for keywords associated with malware: Bitcoin wallets, cryptominers, reverse shells, PowerShell injection, credential theft, process injection, keyloggers, backdoor commands, encoded payloads.
Zero matches.
The compressed section showed 100% entropy — which sounds alarming but is actually expected for well-compressed LZMA data. High entropy does not indicate encryption or obfuscation when the data is simply compressed.
We attempted to extract the installer using every available tool:
innoextract 1.9 → Failed with "Unexpected setup loader revision: 2" / "Setup loader checksum mismatch!"
innounp 0.50 → Failed with "The setup files are corrupted or made by incompatible version"
7-Zip 25.01 → Cannot open as archive (no Inno Setup plugin)
These failures were initially concerning — especially the "checksum mismatch" — but they're false positives caused by the installer using Inno Setup v6.6.1, which is newer than any available extraction tool supports. The format changed in newer Inno Setup revisions, breaking backward compatibility with older extractors.
Static analysis could only tell us so much. To see the actual application code, we needed to extract the files. We ran the installer silently:
Calibre-Web-Setup_V0626_2.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DIR=extract_path
Metric | Value |
|---|---|
Total files extracted | 4,547 |
Total size | 214 MB |
Architecture | PyInstaller-bundled Python 3.13 application |
Entry point |
|
The installer bundles a complete, self-contained Python environment:
Calibre-Web/
├── calibreweb.exe # PyInstaller bootloader
├── unins000.exe / unins000.dat # Uninstaller
└── _internal/
├── python313.dll # Python 3.13 runtime
├── base_library.zip # Python standard library
├── libcrypto-3.dll # OpenSSL 3.x
├── libssl-3.dll # OpenSSL 3.x
├── cps/ # Calibre-Web application
│ ├── web.py # Main web routes (179 KB)
│ ├── admin.py # Admin interface (130 KB)
│ ├── db.py # Database models (66 KB)
│ ├── kobo.py # Kobo sync integration
│ ├── templates/ # 47 HTML templates
│ ├── static/ # CSS, JS, images, fonts
│ └── translations/ # 27 language packs
├── flask-3.1.2/ # Flask web framework
├── sqlalchemy-2.0.46/ # SQLAlchemy ORM
├── Cryptodome/ # PyCryptodome
├── cryptography/ # Cryptography package
└── ... (30+ more packages)
We then unpacked the PyInstaller archive inside calibreweb.exe, extracting 2,320 Python bytecode files (.pyc) across 127 modules. The main application module (cps/) contained 60 Python files covering the entire Calibre-Web application logic:
__init__.py, web.py, admin.py, db.py, kobo.py, config_sql.py, opds.py, shelf.py, editbooks.py, helper.py, ub.py, updater.py, oauth.py, search.py, server.py, gdriveutils.py, comic.py, epub.py, and more.
Every single file was plain Python bytecode — no obfuscation, no encryption, no anti-debugging tricks. This is refreshingly transparent compared to many commercial applications we've analyzed.
We analyzed every Python module for security concerns, network endpoints, data handling, and suspicious behavior.
Every external connection the application makes:
Endpoint | Purpose | Optional? |
|---|---|---|
| Checks for newer versions | No |
| Syncs books with Kobo devices | Yes |
| Fetches book cover images from Kobo | Yes |
Goodreads API | Book metadata lookup | Yes (configurable) |
Amazon product pages | Book identifier links | Yes (user clicks) |
Google Books API | Book metadata lookup | Yes (configurable) |
WorldCat, Barnes & Noble, Kobo, etc. | Book identifier links | Yes (user clicks) |
That's it. There is no telemetry, no analytics, no usage tracking, no advertising, no third-party data collection. Compare this to most modern web applications which embed Google Analytics, Sentry, PostHog, or similar tracking — Calibre-Web has none of that.
Calibre-Web implements several security best practices:
Password Storage: User passwords are hashed using Flask's generate_password_hash (Werkzeug's scrypt-based implementation). No plaintext storage.
OAuth: Support for Google, Discord, Facebook OAuth login. Tokens are stored in the database with proper scoping.
Content Security Policy: The application sets CSP headers to mitigate XSS attacks, with 'unsafe-eval' enabled only where needed for frontend features.
Rate Limiting: Flask-Limiter is configured to prevent brute-force attacks on login endpoints.
LDAP Authentication: Optional enterprise LDAP support with service account credentials.
Configurable Password Policies: Administrators can enforce minimum length, number, and lowercase requirements.
No telemetry or analytics — no Google Analytics, PostHog, Sentry, Mixpanel, Amplitude, or any tracking library
No phone-home mechanism — beyond the GitHub update checker, the application does not contact any server without user action
No obfuscated code — all Python source is standard, readable bytecode
No encrypted payloads — no hidden data, no steganography
No cryptominers — no mining code, no wallet addresses, no pool connections
No backdoors — no hardcoded credentials, no hidden admin accounts, no remote control endpoints
No exploit code — no shell injection, no command execution vulnerabilities in the code we reviewed
No anti-debugging — no VM detection, no sandbox evasion, no anti-tamper mechanisms
The installer bundles 30+ Python packages with strict version pinning. The key dependencies are well-known, well-audited open-source libraries:
Package | Version | Notes |
|---|---|---|
Flask | 3.1.2 | Stable, actively maintained |
SQLAlchemy | 2.0.46 | Industry-standard Python ORM |
Tornado | 6.4.2 | Mature async networking library |
Cryptography | 44.0.3 | PyCA cryptography (OpenSSL bindings) |
PyCryptodome | — | Self-contained crypto library |
Requests | >=2.32.0 | HTTP library |
LXML | >=4.9.1 | XML/HTML parser |
Wand | >=0.4.4 | ImageMagick binding (image processing) |
The optional-requirements.txt adds support for Google Drive, Gmail sending, Goodreads metadata, LDAP login, OAuth, and comic book parsing — all optional, user-enabled features.
For those new to it, Calibre-Web is a web-based frontend for Calibre, the legendary open-source eBook management software. It turns your Calibre library into a personal web server accessible from any device:
Browse & search your eBook library from any browser
Read online with a built-in EPUB reader
Download books in EPUB, PDF, MOBI, CBZ, CBR, TXT, and more
Sync to your Kobo, Kindle, or PocketBook via OPDS
Share your library with family or friends with user accounts
Edit metadata — authors, covers, descriptions, tags
Multi-language — fully translated into 27 languages
It's not a replacement for Calibre itself — it's a companion web app that makes your Calibre library accessible over the network.
Category | Result |
|---|---|
Malicious code | ❌ None found |
Suspicious network endpoints | ❌ None found |
Cryptominers / ransomware | ❌ None found |
Trojan / backdoor | ❌ None found |
Telemetry / analytics | ❌ None found |
Obfuscated code | ❌ Standard Python bytecode |
Unsigned | ⚠️ Yes — but consistent with open-source practice |
Tampered with | ❌ No — hash matches official GitHub release |
Safe to use | ✅ Yes |
Is Calibre Web safe? Based on our thorough analysis of the official Windows installer — yes, absolutely.
This is one of the cleanest, most transparent Windows application installers we've analyzed. The code is unmodified from the open-source repository, there is no hidden functionality, no telemetry, no tracking, and no suspicious behavior. The application does exactly what it claims: serve your eBook library over the web.
Even though this specific installer is clean, here are some general precautions for any software you download:
Always verify the source. Download only from the official GitHub repository. Third-party mirrors could distribute modified versions.
Check the hashes. Compare the SHA256 hash of your downloaded file against the release page. We've provided the expected hash above.
Consider running as a service user. When installed as a Windows service, Calibre-Web should run under a dedicated low-privilege account, not your main user account.
Use a reverse proxy. Expose Calibre-Web through a proper TLS-terminating reverse proxy (nginx, Caddy, Traefik) with HTTPS, not directly to the internet.
Keep it updated. The updater checks GitHub for new versions — make sure you apply updates promptly.
This analysis used a combination of static and dynamic techniques:
Phase | Method |
|---|---|
Static Analysis | PE structure analysis, binary pattern scanning, entropy analysis |
String Extraction | URL, IP, and keyword scanning across 46 MB of compressed data |
Dynamic Extraction | Silent Inno Setup install, PyInstaller archive unpacking |
Code Analysis | 2,320 Python bytecode files analyzed for security concerns |
Network Mapping | All external endpoints identified and categorized |
Hash Verification | Cross-referenced against GitHub API release assets |
No code was executed beyond the installer's extraction phase. The uninstaller was used to clean up after extraction.
Calibre-Web is a remarkable piece of open-source software — a full-featured eBook server that's been in active development for years. This analysis confirms that the Windows installer is as trustworthy as the source code it's built from.
In a landscape where "free" software often comes with hidden costs (telemetry, ads, data collection), Calibre-Web stands out as genuinely clean. No tracking, no phone-home, no surprises.
If you run an eBook library, you can install this with confidence.
HxB — Hardened by eXperience.
Hegxib.me — Security research, reverse engineering, and software analysis.
If you found this analysis valuable, consider supporting our work:
Your donations help us continue producing in-depth security research and analysis for the community.
This analysis was performed in June 2026 against Calibre-Web v0.6.26 (Ismara). Findings accurate as of the analysis date. No installer binaries are distributed. This is an educational write-up for the security research community.
Questions, corrections, or collaboration? Reach out via Hegxib.me.