Skip to main content

Cal.com cal.diy CVE-2026-9303

| EUVDEUVD-2026-31539 LOW
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-23 VulDB GHSA-m2vm-mcmh-jrc7
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Severity Changed
May 26, 2026 - 19:37 NVD
MEDIUM LOW
CVSS changed
May 26, 2026 - 19:37 NVD
4.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
May 23, 2026 - 14:30 vuln.today

DescriptionCVE.org

A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Cross-site request forgery (CSRF) in Cal.com cal.diy versions up to 4.9.4 enables remote attackers to perform unauthorized actions on behalf of authenticated users through specially crafted requests. Public exploit code is available via GitHub Gist, lowering the barrier for exploitation. The vendor was notified but has not responded or released a patch, leaving users dependent on compensating controls. EPSS data unavailable, but the combination of low attack complexity (AC:L), no authentication requirement (PR:N), and available exploit code (E:P) elevates practical exploitation risk above the base CVSS score of 4.3.

Technical ContextAI

This vulnerability affects Cal.com cal.diy (CPE: cpe:2.3:a:calcom:cal.diy), an open-source scheduling platform. The flaw is rooted in CWE-352 (Cross-Site Request Forgery), indicating the application fails to validate that HTTP requests originated from legitimate user actions rather than attacker-controlled sites. CSRF vulnerabilities arise when web applications do not implement anti-CSRF tokens, SameSite cookie attributes, or origin validation on state-changing operations. In Cal.com's case, the affected function remains unspecified in the disclosure, but typical CSRF targets in scheduling applications include calendar event creation/deletion, settings modification, user invitation endpoints, and OAuth integrations. The CVSS vector (AV:N/AC:L) confirms network-exploitable with low complexity, meaning attackers need only trick authenticated users into visiting a malicious page or clicking a link.

RemediationAI

No vendor-released patch is available at time of analysis. The vendor was contacted early but has not responded (per description and RL:X vector). Users of cal.diy 4.9.4 or earlier should implement the following compensating controls: (1) Deploy a web application firewall (WAF) with CSRF protection rules to validate Referer/Origin headers on state-changing requests (POST/PUT/DELETE/PATCH methods); note this may break legitimate cross-origin API integrations and requires testing. (2) Configure reverse proxy (nginx/Apache) to enforce SameSite=Strict cookie attributes for session cookies; this prevents cookies from being sent in cross-site requests but will break functionality if users access cal.diy from email links or external calendar clients. (3) Implement network-level access controls to restrict cal.diy access to trusted IP ranges or VPN-only access, reducing attacker ability to deliver CSRF payloads; this limits usability for remote/mobile users. (4) Educate users not to click untrusted links while logged into cal.diy and to log out after use. Monitor vendor channels (https://github.com/calcom/cal.com) for future security updates and consider migrating to the vendor-hosted cal.com service if vendor support for self-hosted versions remains unresponsive.

Share

CVE-2026-9303 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy