Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A security flaw has been discovered in calcom cal.diy up to 4.9.4. The affected element is the function validateUrlForSSRF of the file apps/web/app/api/logo/route.ts of the component Logo API. The manipulation results in server-side request forgery. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Server-side request forgery in Cal.com cal.diy versions up to 4.9.4 enables authenticated attackers to make the server perform arbitrary HTTP requests to internal or external systems via the Logo API endpoint. The vulnerable validateUrlForSSRF function in apps/web/app/api/logo/route.ts insufficiently validates user-supplied URLs, allowing bypass of SSRF protections. Public exploit code exists (EPSS data not provided), though exploitation complexity is high (CVSS AC:H) requiring low-level privileges and technical sophistication. The vendor received early notification but has not responded or released a patch.
Technical ContextAI
This vulnerability affects the Cal.com cal.diy scheduling platform, specifically the Logo API route handler (apps/web/app/api/logo/route.ts). The flaw is a classic Server-Side Request Forgery (CWE-918) resulting from inadequate input validation in the validateUrlForSSRF function. SSRF vulnerabilities occur when an application accepts user-controlled URLs and fetches resources without proper validation, allowing attackers to abuse the server as a proxy to access internal services (cloud metadata endpoints, internal APIs, databases) or perform port scanning and service enumeration. In this case, the Logo API likely accepts URL parameters for fetching external logos or images, and the validation routine can be bypassed to target unintended destinations. The CPE string cpe:2.3:a:calcom:cal.diy:*:*:*:*:*:*:*:* confirms this affects the Cal.com cal.diy product family, a self-hosted open-source scheduling infrastructure.
RemediationAI
No vendor-released patch exists at time of analysis-Cal.com has not responded to vulnerability disclosure. Organizations must implement compensating controls until a fix becomes available. Primary mitigation: restrict access to the Logo API endpoint (/api/logo/*) to only trusted authenticated users through authentication layer controls or reverse proxy rules, reducing attack surface given the PR:L requirement. Secondary mitigation: implement network-level egress filtering from application servers hosting cal.diy, explicitly blocking access to RFC 1918 private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost/loopback (127.0.0.0/8, ::1), link-local addresses (169.254.0.0/16), and cloud metadata endpoints (169.254.169.254 for AWS/Azure, metadata.google.internal for GCP)-note this may break legitimate external logo fetching functionality requiring allowlist configuration. Tertiary option: disable or remove the Logo API functionality entirely if not business-critical by removing the route handler or implementing application-level feature flags-assess impact on logo display features before deployment. Monitor application logs for unusual URL patterns in logo API requests (internal IPs, localhost, metadata endpoints). Reference the public exploit code at https://gist.github.com/YLChen-007/b3d0b85767b7e346a291933d602fbb3b to understand bypass techniques and test defensive measures. Consider migrating to officially supported Cal.com cloud offerings if self-hosted security maintenance becomes unsustainable.
Information disclosure in Cal.com cal.diy up to version 4.9.4 allows remote unauthenticated attackers to access sensitiv
Cross-site request forgery (CSRF) in Cal.com cal.diy versions up to 4.9.4 enables remote attackers to perform unauthoriz
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31540
GHSA-6c7x-v3mr-g29x