CVE-2026-9303 MEDIUM

CVE-2026-9303: calcom cal.diy cross-site request forgery

Vendor Calcom
Product cal.diy
Weakness CWE-352 · CSRF
Published May 23, 2026
Last update May 26, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

May 23, 2026 CVE published
May 26, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-5142 Simple Page Access Restriction <= 1.0.31 - Cross-Site Request Forgery via Multiple Parameters CVE-2025-68158 Authlib: 1-click Account Takeover CVE-2025-9949 Internal Links Manager <= 3.0.1 - Cross-Site Request Forgery CVE-2024-13521 MailUp Auto Subscription <= 1.1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting CVE-2025-58675 WordPress Interact: Embed A Quiz On Your Site Plugin <= 3.1 - Cross Site Request Forgery (CSRF) Vulnerability