CVE-2026-9303

Description

A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

PUBLISHED Reserved 2026-05-22 | Published 2026-05-23 | Updated 2026-05-23 | Assigner VulDB

Problem types

Cross-Site Request Forgery

Missing Authorization

Product status

Timeline

Credits

Eric-z (VulDB User) reporter

VulDB CNA Team coordinator

References

vuldb.com/vuln/365250 (VDB-365250 | calcom cal.diy cross-site request forgery) vdb-entry

vuldb.com/vuln/365250/cti (VDB-365250 | CTI Indicators (IOB, IOC)) signature permissions-required

vuldb.com/submit/812173 (Submit #812173 | cal.com <= v4.9.4 Cross-Site Request Forgery (CWE-352)) third-party-advisory

vuldb.com/submit/812175 (Submit #812175 | cal.com <= v4.9.4 Cross-Site Request Forgery (CWE-352) (Duplicate)) third-party-advisory

gist.github.com/YLChen-007/26663d9558e15994176dc420d2e11d48 related

gist.github.com/YLChen-007/dafada36e356bc895b09829d8ec57e49 exploit

cve.org (CVE-2026-9303)

nvd.nist.gov (CVE-2026-9303)

Download JSON