Skip to main content

Cal Diy

3 CVEs product

Monthly

CVE-2026-9349 MEDIUM POC This Month

Information disclosure in Cal.com cal.diy up to version 4.9.4 allows remote unauthenticated attackers to access sensitive booking data through manipulation of cancelledBy/rescheduledBy parameters in the bookings single view API endpoint. The vulnerability affects the Generic React API's getServerSideProps function, enabling unauthorized retrieval of booking-related information. Public exploit code exists demonstrating the attack technique, and the vendor has not responded to coordinated disclosure attempts, leaving users at elevated risk until patches are self-applied.

Information Disclosure Cal Diy
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-9304 LOW POC Monitor

Server-side request forgery in Cal.com cal.diy versions up to 4.9.4 enables authenticated attackers to make the server perform arbitrary HTTP requests to internal or external systems via the Logo API endpoint. The vulnerable validateUrlForSSRF function in apps/web/app/api/logo/route.ts insufficiently validates user-supplied URLs, allowing bypass of SSRF protections. Public exploit code exists (EPSS data not provided), though exploitation complexity is high (CVSS AC:H) requiring low-level privileges and technical sophistication. The vendor received early notification but has not responded or released a patch.

SSRF Cal Diy
NVD VulDB GitHub
CVSS 4.0
1.3
EPSS
0.0%
CVE-2026-9303 LOW POC Monitor

Cross-site request forgery (CSRF) in Cal.com cal.diy versions up to 4.9.4 enables remote attackers to perform unauthorized actions on behalf of authenticated users through specially crafted requests. Public exploit code is available via GitHub Gist, lowering the barrier for exploitation. The vendor was notified but has not responded or released a patch, leaving users dependent on compensating controls. EPSS data unavailable, but the combination of low attack complexity (AC:L), no authentication requirement (PR:N), and available exploit code (E:P) elevates practical exploitation risk above the base CVSS score of 4.3.

CSRF Cal Diy
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Information disclosure in Cal.com cal.diy up to version 4.9.4 allows remote unauthenticated attackers to access sensitive booking data through manipulation of cancelledBy/rescheduledBy parameters in the bookings single view API endpoint. The vulnerability affects the Generic React API's getServerSideProps function, enabling unauthorized retrieval of booking-related information. Public exploit code exists demonstrating the attack technique, and the vendor has not responded to coordinated disclosure attempts, leaving users at elevated risk until patches are self-applied.

Information Disclosure Cal Diy
NVD VulDB GitHub
EPSS 0% CVSS 1.3
LOW POC Monitor

Server-side request forgery in Cal.com cal.diy versions up to 4.9.4 enables authenticated attackers to make the server perform arbitrary HTTP requests to internal or external systems via the Logo API endpoint. The vulnerable validateUrlForSSRF function in apps/web/app/api/logo/route.ts insufficiently validates user-supplied URLs, allowing bypass of SSRF protections. Public exploit code exists (EPSS data not provided), though exploitation complexity is high (CVSS AC:H) requiring low-level privileges and technical sophistication. The vendor received early notification but has not responded or released a patch.

SSRF Cal Diy
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site request forgery (CSRF) in Cal.com cal.diy versions up to 4.9.4 enables remote attackers to perform unauthorized actions on behalf of authenticated users through specially crafted requests. Public exploit code is available via GitHub Gist, lowering the barrier for exploitation. The vendor was notified but has not responded or released a patch, leaving users dependent on compensating controls. EPSS data unavailable, but the combination of low attack complexity (AC:L), no authentication requirement (PR:N), and available exploit code (E:P) elevates practical exploitation risk above the base CVSS score of 4.3.

CSRF Cal Diy
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy