VYPR

Cal.com

by Calcom

Source repositories

CVEs (8)

  • CVE-2025-31604MedMar 31, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Cal.com Cal.com cal-com allows Stored XSS.This issue affects Cal.com: from n/a through <= 1.0.0.

  • CVE-2026-9349MedMay 24, 2026
    risk 0.34cvss 5.3epss 0.00

    A vulnerability was determined in calcom cal.diy up to 4.9.4. Affected by this issue is the function getServerSideProps of the file apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx of the component Generic React API. This manipulation of the argument…

  • CVE-2026-9304MedMay 23, 2026
    risk 0.33cvss 5.0epss 0.00

    A security flaw has been discovered in calcom cal.diy up to 4.9.4. The affected element is the function validateUrlForSSRF of the file apps/web/app/api/logo/route.ts of the component Logo API. The manipulation results in server-side request forgery. It is possible to launch the…

  • CVE-2026-9303MedMay 23, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted…

  • CVE-2026-23478Jan 13, 2026
    risk 0.00cvss epss 0.00

    Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This…

  • CVE-2025-66489Dec 3, 2025
    risk 0.00cvss epss 0.01

    Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic…

  • CVE-2023-37919Jul 25, 2023
    risk 0.00cvss epss 0.00

    Cal.com is open-source scheduling software. A vulnerability allows active sessions associated with an account to remain active even after enabling 2FA. When activating 2FA on a Cal.com account that is logged in on two or more devices, the account stays logged in on the other…

  • CVE-2023-1647Mar 27, 2023
    risk 0.00cvss epss 0.01

    Improper Access Control in GitHub repository calcom/cal.com prior to 2.7.