Drackanz

**Name of the Vulnerable Software and Affected Versions** WebCalendar version 0.9.45 **Description** The issue allows remote attackers to execute arbitrary PHP code. This can be achieved by providing a URL in the `includedir` parameter to specific API endpoints, such as "login.php", "get reminders.php", or "get events.php". **Recommendations** For WebCalendar version 0.9.45, consider restricting access to the `includedir` parameter in the affected API endpoints until a patch is available. As a temporary workaround, avoid using the `includedir` parameter in "login.php", "get reminders.php", and "get events.php" to minimize the risk of exploitation.