Description
A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-23
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The weakness in calcom cal.diy up to version 4.9.4 allows an attacker to manipulate an unknown function, resulting in a cross‑site request forgery (CSRF) vulnerability. This flaw is a classic CSRF issue (CWE‑352) and also carries an element of unauthorized access (CWE‑862) because the attacker can perform actions as a legitimate user. An attacker can send a crafted request from a remote source and trick a logged‑in user into unknowingly executing privileged operations.

Affected Systems

All installations of calcom cal.diy with versions 4.9.4 or earlier are impacted. No sub‑version or build information is supplied, so the entire 4.9.4 release series is assumed vulnerable.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate level of severity. EPSS is not provided, but the vulnerability is publicly available and the vendor did not release a fix or response at the time of disclosure. The flaw can be exploited remotely through a crafted request, and no authentication or privileged installation is required. Because it is a CSRF issue, an attacker can redirect a legitimate user’s browser to submit malicious requests. The lack of an official fix means that the risk remains until a patch is released or mitigated by defensive controls.

Generated by OpenCVE AI on May 23, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict the vulnerable endpoint to require a valid CSRF token and enforce authenticated sessions only.
  • If an update is available, install the latest version of calcom cal.diy that addresses the vulnerability; if not, consider disabling or removing the affected functionality.
  • Deploy a Web Application Firewall or equivalent rule set to detect and block CSRF attempts targeting the known vulnerable endpoint.
  • Monitor web traffic logs for unexpected POST/DELETE actions that match the CSRF signature and quarantine affected hosts.

Generated by OpenCVE AI on May 23, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title calcom cal.diy cross-site request forgery
First Time appeared Calcom
Calcom cal.diy
Weaknesses CWE-352
CWE-862
CPEs cpe:2.3:a:calcom:cal.diy:*:*:*:*:*:*:*:*
Vendors & Products Calcom
Calcom cal.diy
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Calcom Cal.diy
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-23T13:30:10.147Z

Reserved: 2026-05-22T17:54:39.276Z

Link: CVE-2026-9303

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-23T15:30:20Z

Weaknesses