PT-2026-42884 · Cal.Com · Cal.Com

Eric-Z

·

Published

2026-05-23

·

Updated

2026-05-23

·

CVE-2026-9304

CVSS v3.1

5.0

Medium

VectorAV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Name of the Vulnerable Software and Affected Versions calcom cal.diy versions prior to 4.9.5
Description A flaw in the Logo API component allows for server-side request forgery (SSRF), a condition where an attacker can induce the server to make requests to an unintended location. The issue resides in the validateUrlForSSRF() function within the apps/web/app/api/logo/route.ts file. This attack can be launched remotely, although it is characterized as highly complex and difficult to exploit.
Recommendations Update to a version later than 4.9.4. As a temporary workaround, restrict access to the validateUrlForSSRF() function in the Logo API to minimize the risk of exploitation.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9304

Affected Products

Cal.Com