Full Calendar Macro
CVE-2025-65091
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5.
AnalysisAI
XWiki Full Calendar Macro (before 2.4.5) has SQL injection accessible to guest users via the Calendar.JSONService page. Maximum CVSS 10.0 with scope change. Patch available.
Technical ContextAI
The Calendar.JSONService page processes user input in SQL queries without parameterization (CWE-89). Since the page is accessible to guest users (no login required), any visitor can exploit the injection. The scope change and max CVSS indicate impact beyond the wiki database.
RemediationAI
Update to Full Calendar Macro 2.4.5. Restrict Calendar.JSONService access to authenticated users.
More in Full Calendar Macro
View allSame weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-2g22-wg49-fgv5