Low Published: Dec 05, 2025

CVE-2025-66546

3.3 CVSS SCORE

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1.

CVSS Vector Details

Attack Vector Local

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality Low

Integrity None

Availability None

Weaknesses (CWE)

CWE-639

References & External Links

https://github.com/nextcloud/calendar/commit/f41650c3681fc4a4130eb883f5c0899c011326b3
https://github.com/nextcloud/calendar/pull/7537
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7x2j-2674-fj95
https://hackerone.com/reports/3275810

External Resources

NVD Official Record Exploit-DB Search Exploits CVE Details Statistics GitHub PoC / Tools X / Twitter Discussions Google Search More

← Back to CVE Tracker