Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Cross-site request forgery (CSRF) in Cal.com cal.diy versions up to 4.9.4 enables remote attackers to perform unauthorized actions on behalf of authenticated users through specially crafted requests. Public exploit code is available via GitHub Gist, lowering the barrier for exploitation. The vendor was notified but has not responded or released a patch, leaving users dependent on compensating controls. EPSS data unavailable, but the combination of low attack complexity (AC:L), no authentication requirement (PR:N), and available exploit code (E:P) elevates practical exploitation risk above the base CVSS score of 4.3.
Technical ContextAI
This vulnerability affects Cal.com cal.diy (CPE: cpe:2.3:a:calcom:cal.diy), an open-source scheduling platform. The flaw is rooted in CWE-352 (Cross-Site Request Forgery), indicating the application fails to validate that HTTP requests originated from legitimate user actions rather than attacker-controlled sites. CSRF vulnerabilities arise when web applications do not implement anti-CSRF tokens, SameSite cookie attributes, or origin validation on state-changing operations. In Cal.com's case, the affected function remains unspecified in the disclosure, but typical CSRF targets in scheduling applications include calendar event creation/deletion, settings modification, user invitation endpoints, and OAuth integrations. The CVSS vector (AV:N/AC:L) confirms network-exploitable with low complexity, meaning attackers need only trick authenticated users into visiting a malicious page or clicking a link.
RemediationAI
No vendor-released patch is available at time of analysis. The vendor was contacted early but has not responded (per description and RL:X vector). Users of cal.diy 4.9.4 or earlier should implement the following compensating controls: (1) Deploy a web application firewall (WAF) with CSRF protection rules to validate Referer/Origin headers on state-changing requests (POST/PUT/DELETE/PATCH methods); note this may break legitimate cross-origin API integrations and requires testing. (2) Configure reverse proxy (nginx/Apache) to enforce SameSite=Strict cookie attributes for session cookies; this prevents cookies from being sent in cross-site requests but will break functionality if users access cal.diy from email links or external calendar clients. (3) Implement network-level access controls to restrict cal.diy access to trusted IP ranges or VPN-only access, reducing attacker ability to deliver CSRF payloads; this limits usability for remote/mobile users. (4) Educate users not to click untrusted links while logged into cal.diy and to log out after use. Monitor vendor channels (https://github.com/calcom/cal.com) for future security updates and consider migrating to the vendor-hosted cal.com service if vendor support for self-hosted versions remains unresponsive.
Information disclosure in Cal.com cal.diy up to version 4.9.4 allows remote unauthenticated attackers to access sensitiv
Server-side request forgery in Cal.com cal.diy versions up to 4.9.4 enables authenticated attackers to make the server p
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31539
GHSA-m2vm-mcmh-jrc7