CVE-2025-65091

CRITICAL
2026-01-10 [email protected] GHSA-2g22-wg49-fgv5
10.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch Released
Jan 29, 2026 - 17:27 nvd
Patch available
CVE Published
Jan 10, 2026 - 04:16 nvd
CRITICAL 10.0

Tags

SQLi Denial Of Service Full Calendar Macro

Description

XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5.

Analysis

XWiki Full Calendar Macro (before 2.4.5) has SQL injection accessible to guest users via the Calendar.JSONService page. Maximum CVSS 10.0 with scope change. Patch available.

Technical Context

The Calendar.JSONService page processes user input in SQL queries without parameterization (CWE-89). Since the page is accessible to guest users (no login required), any visitor can exploit the injection. The scope change and max CVSS indicate impact beyond the wiki database.

Affected Products

XWiki Full Calendar Macro before 2.4.5

Remediation

Update to Full Calendar Macro 2.4.5. Restrict Calendar.JSONService access to authenticated users.

Priority Score

50
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +50
POC: 0

Share

CVE-2025-65091 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy