Description
The Calendar module for HumHub enables users to create one-time or recurring events, manage attendee invitations, and efficiently track all scheduled activities. Prior to version 1.8.11, a Stored Cross-Site Scripting (XSS) vulnerability in the Event Types of the HumHub Calendar module impacts users viewing events created by an administrative account. This issue has been patched in version 1.8.11.
Published: 2026-03-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Scripting
Action: Immediate Patch
AI Analysis

Impact

A stored cross-site scripting flaw exists in the event type feature of the HumHub Calendar module. The flaw allows an attacker with administrative privileges to embed malicious scripts that are saved in the database, and the scripts execute in the browsers of any user who views the event. This can lead to arbitrary JavaScript execution, enabling session hijacking, credential theft, or defacement within the victim's session. The attack only affects users who view events created by an administrative account; normal users browsing events are impacted after the admin injects the malicious content.

Affected Systems

The vulnerability impacts the HumHub Calendar module (humhub:calendar) and is present in all releases earlier than version 1.8.11. Administrators running HumHub Calendar 1.8.10 or older are vulnerable; the issue was corrected in version 1.8.11.

Risk and Exploitability

The CVSS score of 6.9 denotes medium severity, while the EPSS score of less than 1 % indicates a low likelihood of exploitation in the wild. The vulnerability does not appear in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an attacker to have administrative access to insert malicious content into event types, after which any authenticated user viewing the event will have the stored script executed in their browser.

Generated by OpenCVE AI on April 16, 2026 at 12:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the HumHub Calendar module to version 1.8.11 or later.
  • Verify that any existing event types with custom HTML or JavaScript have been sanitized or removed to eliminate potential stored scripts.
  • Restrict the ability to create or edit event types to trusted administrators and consider disabling the feature until the patch is applied if no immediate upgrade path is available.

Generated by OpenCVE AI on April 16, 2026 at 12:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:humhub:calendar:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Humhub
Humhub calendar
Vendors & Products Humhub
Humhub calendar

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description The Calendar module for HumHub enables users to create one-time or recurring events, manage attendee invitations, and efficiently track all scheduled activities. Prior to version 1.8.11, a Stored Cross-Site Scripting (XSS) vulnerability in the Event Types of the HumHub Calendar module impacts users viewing events created by an administrative account. This issue has been patched in version 1.8.11.
Title HumHub Calendar Module: Stored XSS in Event Types
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Humhub Calendar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-05T15:30:11.121Z

Reserved: 2026-03-03T17:50:11.244Z

Link: CVE-2026-29052

cve-icon Vulnrichment

Updated: 2026-03-05T15:30:07.662Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T06:16:50.260

Modified: 2026-03-09T18:40:51.523

Link: CVE-2026-29052

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:00:11Z

Weaknesses