CVE-2026-9303
4.3 MEDIUMA vulnerability was identified in calcom cal.diy up to 4.9.4
Published: 2026-05-23 · Last updated: 2026-05-26
Severity and scoring
- CVSS
- 4.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- CWE
- CWE-352, CWE-862
Description
A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-9303
- [Other]https://gist.github.com/YLChen-007/26663d9558e15994176dc420d2e11d48
- [Other]https://gist.github.com/YLChen-007/dafada36e356bc895b09829d8ec57e49
- [Other]https://vuldb.com/submit/812173
- [Other]https://vuldb.com/submit/812175
- [Other]https://vuldb.com/vuln/365250
- [Other]https://vuldb.com/vuln/365250/cti
Related CVEs
Same CWE
- CVE-2026-12105 — Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplicat...
- CVE-2026-53866 — OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators ... (8.1 HIGH)
- CVE-2026-53851 — OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite... (5.3 MEDIUM)
- CVE-2026-53850 — OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated caller... (5.5 MEDIUM)
- CVE-2026-53844 — OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated call... (6.5 MEDIUM)