CVE-2025-66546 LOW

CVE-2025-66546: Nextcloud Calendar app allowed booking appointments without the generated token

Vendor Nextcloud
Product security-advisories
Weakness CWE-639 · IDOR
Published December 5, 2025
Last update December 5, 2025

CVSS base score

3.3/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1.

Key dates

02Disclosure timeline

December 5, 2025 CVE published
December 5, 2025 Record updated

Related vulnerabilities

04Related CVE