The vulnerability resides in the getServerSideProps function of the Generic React API component in calcom cal.diy, allowing an attacker to manipulate the cancelledBy and rescheduledBy arguments and cause the disclosure of sensitive information. This weakness belongs to the Information Exposure and Improper Access Control categories, and the CVE description states that the exploit is publicly known and can be triggered remotely. The exposed data can include user identifiers or booking details that should remain confidential, potentially compromising both privacy and integrity of the system's data.

This flaw affects the calcom cal.diy product, specifically versions up to and including 4.9.4. The impacted code resides in apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx within the component hierarchy of the Generic React API. No vendor provides separate downstream updates in this context.

The CVSS score of 6.9 indicates moderate severity, and the EPSS score is not available, which makes it unclear how often the vulnerability is actively targeted. Because the exploit is publicly disclosed and can be launched over the network, the risk of exploitation remains significant for any exposed booking interfaces that accept unauthenticated request contexts. The lack of a KEV listing suggests no confirmed widespread attacks yet, but the remote nature and information exposure warrant proactive mitigation.