A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Calcom
  • Cal.diy

No data.

No data.

References
Link Providers
https://gist.github.com/YLChen-007/26663d9558e15994176dc420d2e11d48 cve-icon
https://gist.github.com/YLChen-007/dafada36e356bc895b09829d8ec57e49 cve-icon
https://vuldb.com/submit/812173 cve-icon
https://vuldb.com/submit/812175 cve-icon
https://vuldb.com/vuln/365250 cve-icon
https://vuldb.com/vuln/365250/cti cve-icon
History

Sat, 23 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title calcom cal.diy cross-site request forgery
First Time appeared Calcom
Calcom cal.diy
Weaknesses CWE-352
CWE-862
CPEs cpe:2.3:a:calcom:cal.diy:*:*:*:*:*:*:*:*
Vendors & Products Calcom
Calcom cal.diy
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-23T13:30:10.147Z

Updated: 2026-05-23T13:30:10.147Z

Reserved: 2026-05-22T17:54:39.276Z

Link: CVE-2026-9303

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.