Skip to main content

Full Calendar Macro CVE-2025-65091

CRITICAL
SQL Injection (CWE-89)
2026-01-10 security-advisories@github.com GHSA-2g22-wg49-fgv5
10.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Jan 29, 2026 - 17:27 nvd
Patch available
CVE Published
Jan 10, 2026 - 04:16 nvd
CRITICAL 10.0

DescriptionGitHub Advisory

XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5.

AnalysisAI

XWiki Full Calendar Macro (before 2.4.5) has SQL injection accessible to guest users via the Calendar.JSONService page. Maximum CVSS 10.0 with scope change. Patch available.

Technical ContextAI

The Calendar.JSONService page processes user input in SQL queries without parameterization (CWE-89). Since the page is accessible to guest users (no login required), any visitor can exploit the injection. The scope change and max CVSS indicate impact beyond the wiki database.

RemediationAI

Update to Full Calendar Macro 2.4.5. Restrict Calendar.JSONService access to authenticated users.

Share

CVE-2025-65091 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy