Calcom
Products
1- 8 CVEs
Recent CVEs
8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-31604 | Med | 0.42 | 6.5 | 0.00 | Mar 31, 2025 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Cal.com Cal.com cal-com allows Stored XSS.This issue affects Cal.com: from n/a through <= 1.0.0. | ||
| CVE-2026-9349 | Med | 0.34 | 5.3 | 0.00 | May 24, 2026 | A vulnerability was determined in calcom cal.diy up to 4.9.4. Affected by this issue is the function getServerSideProps of the file apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx of the component Generic React API. This manipulation of the argument… | ||
| CVE-2026-9304 | Med | 0.33 | 5.0 | 0.00 | May 23, 2026 | A security flaw has been discovered in calcom cal.diy up to 4.9.4. The affected element is the function validateUrlForSSRF of the file apps/web/app/api/logo/route.ts of the component Logo API. The manipulation results in server-side request forgery. It is possible to launch the… | ||
| CVE-2026-9303 | Med | 0.28 | 4.3 | 0.00 | May 23, 2026 | A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted… | ||
| CVE-2026-23478 | 0.00 | — | 0.00 | Jan 13, 2026 | Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This… | |||
| CVE-2025-66489 | 0.00 | — | 0.01 | Dec 3, 2025 | Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic… | |||
| CVE-2023-37919 | 0.00 | — | 0.00 | Jul 25, 2023 | Cal.com is open-source scheduling software. A vulnerability allows active sessions associated with an account to remain active even after enabling 2FA. When activating 2FA on a Cal.com account that is logged in on two or more devices, the account stays logged in on the other… | |||
| CVE-2023-1647 | 0.00 | — | 0.01 | Mar 27, 2023 | Improper Access Control in GitHub repository calcom/cal.com prior to 2.7. |
- risk 0.42cvss 6.5epss 0.00
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Cal.com Cal.com cal-com allows Stored XSS.This issue affects Cal.com: from n/a through <= 1.0.0.
- risk 0.34cvss 5.3epss 0.00
A vulnerability was determined in calcom cal.diy up to 4.9.4. Affected by this issue is the function getServerSideProps of the file apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx of the component Generic React API. This manipulation of the argument…
- risk 0.33cvss 5.0epss 0.00
A security flaw has been discovered in calcom cal.diy up to 4.9.4. The affected element is the function validateUrlForSSRF of the file apps/web/app/api/logo/route.ts of the component Logo API. The manipulation results in server-side request forgery. It is possible to launch the…
- risk 0.28cvss 4.3epss 0.00
A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted…
- CVE-2026-23478Jan 13, 2026risk 0.00cvss —epss 0.00
Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This…
- CVE-2025-66489Dec 3, 2025risk 0.00cvss —epss 0.01
Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic…
- CVE-2023-37919Jul 25, 2023risk 0.00cvss —epss 0.00
Cal.com is open-source scheduling software. A vulnerability allows active sessions associated with an account to remain active even after enabling 2FA. When activating 2FA on a Cal.com account that is logged in on two or more devices, the account stays logged in on the other…
- CVE-2023-1647Mar 27, 2023risk 0.00cvss —epss 0.01
Improper Access Control in GitHub repository calcom/cal.com prior to 2.7.