PatchSiren cyber security CVE debrief
CVE-2026-9303 calcom CVE debrief
Cross-site request forgery (CSRF) vulnerability in calcom cal.diy up to version 4.9.4. The vulnerability allows remote attackers to perform unauthorized actions via crafted requests. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, but user interaction is required. The confidentiality impact is none, integrity impact is low, and availability impact is none. The exploit has been publicly disclosed and is marked as proof-of-concept available in the CVSS scoring. The vendor was contacted prior to disclosure but did not respond. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) and CWE-862 (Missing Authorization).
- Vendor
- calcom
- Product
- cal.diy
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-23
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-23
- Advisory updated
- 2026-05-26
Who should care
Organizations running calcom cal.diy versions up to 4.9.4 should assess their exposure. Security teams should prioritize CSRF protection reviews for this application. Developers maintaining cal.diy deployments should implement or verify anti-CSRF controls.
Technical summary
A cross-site request forgery vulnerability exists in calcom cal.diy versions up to 4.9.4. The vulnerability can be exploited remotely but requires user interaction. The attack complexity is low and no privileges are required. Successful exploitation results in low integrity impact with no confidentiality or availability impact. The exploit is publicly available.
Defensive priority
low
Recommended defensive actions
- Review and implement CSRF protection mechanisms in cal.diy deployments
- Validate that state-changing operations require anti-CSRF tokens or equivalent protections
- Monitor for unauthorized state changes in cal.diy instances
- Consider upgrading to a patched version when available from the vendor
- Review application logs for suspicious cross-origin requests
Evidence notes
The vulnerability affects calcom cal.diy versions up to 4.9.4. The specific function impacted is unknown based on available information. The CVSS 4.0 score of 2.1 reflects the LOW severity rating, primarily due to the required user interaction and limited integrity impact. The weakness classifications include both CSRF (CWE-352) and missing authorization (CWE-862).
Official resources
The CVE was published on 2026-05-23 and last modified on 2026-05-26. The disclosure was coordinated through VulDB as the CNA. The vendor was contacted early about this disclosure but did not respond in any way.