XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5.

AI Analysis

SQL injection vulnerability in XWiki Full Calendar Macro through Calendar.JSONService

Basic Information

ID CVE-2025-65091

Source GitHub_M

Published Jan 10, 2026 at 03:06

Affected Product

Vendor xwiki-contrib

Product macro-fullcalendar

Version < 2.4.5

Affected Versions xwiki-contrib macro-fullcalendar < 2.4.5

CWE Classification

CWE-89

AI Assessment

AI Score 10 / 10

AI Severity Critical

Vendor XWiki

Product Full Calendar Macro

Version < 2.4.5

References

{
    "lastseen": "",
    "description": "XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5.",
    "published": "2026-01-10T03:06:16.775Z",
    "modified": "2026-01-10T03:06:16.775Z",
    "type": "cve",
    "title": "XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService",
    "source": "GitHub_M",
    "references": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-2g22-wg49-fgv5\nhttps://github.com/xwiki-contrib/macro-fullcalendar/commit/5fdcf06a05015786492fda69b4d9dea5460cc994",
    "id": "CVE-2025-65091",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "xwiki-contrib macro-fullcalendar < 2.4.5",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "macro-fullcalendar",
    "version": "< 2.4.5",
    "vendor": "xwiki-contrib",
    "ai_description": "SQL injection vulnerability in XWiki Full Calendar Macro through Calendar.JSONService",
    "ai_severity": "Critical",
    "ai_vendor": "XWiki",
    "ai_product": "Full Calendar Macro",
    "ai_version": "< 2.4.5",
    "ai_score": 10
}

XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService_CVE-2025-65091