PT-2026-42884 · Cal.Com · Cal.Com
Eric-Z
·
Published
2026-05-23
·
Updated
2026-05-23
·
CVE-2026-9304
CVSS v3.1
5.0
Medium
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
calcom cal.diy versions prior to 4.9.5
Description
A flaw in the Logo API component allows for server-side request forgery (SSRF), a condition where an attacker can induce the server to make requests to an unintended location. The issue resides in the
validateUrlForSSRF() function within the apps/web/app/api/logo/route.ts file. This attack can be launched remotely, although it is characterized as highly complex and difficult to exploit.Recommendations
Update to a version later than 4.9.4.
As a temporary workaround, restrict access to the
validateUrlForSSRF() function in the Logo API to minimize the risk of exploitation.Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cal.Com