CVE-2026-9303
calcom cal.diy cross-site request forgery
CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
5th
A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
| CWE | CWE-352 CWE-862 |
| Vendor | calcom |
| Product | cal.diy |
| Published | May 23, 2026 |
| Last Updated | May 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for calcom cal.diy
Be the first to know when new medium vulnerabilities affecting calcom cal.diy are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
calcom / cal.diy
4.9.0 4.9.1 4.9.2 4.9.3 4.9.4
References
vuldb.com: https://vuldb.com/vuln/365250 vuldb.com: https://vuldb.com/vuln/365250/cti vuldb.com: https://vuldb.com/submit/812173 vuldb.com: https://vuldb.com/submit/812175 gist.github.com: https://gist.github.com/YLChen-007/26663d9558e15994176dc420d2e11d48 gist.github.com: https://gist.github.com/YLChen-007/dafada36e356bc895b09829d8ec57e49
Credits
๐ Eric-z (VulDB User) VulDB CNA Team