PT-2026-42905 · Cal.Com · Cal.Com
Eric-Z
·
Published
2026-05-24
·
Updated
2026-05-24
·
CVE-2026-9349
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
calcom cal.diy versions prior to 4.9.5
Description
An information disclosure issue exists in the Generic React API component. The problem resides in the
getServerSideProps() function within the file apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx. A remote attacker can trigger this by manipulating the cancelledBy or rescheduledBy arguments.Recommendations
Update to a version later than 4.9.4.
As a temporary workaround, restrict access to the
getServerSideProps() function in the affected file to minimize the risk of information disclosure.Exploit
Fix
Improper Access Control
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Cal.Com