CVE Tools
Sign in

CVE-2025-65090

XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService

Published: Jan 10, 2026Updated: Jan 29, 2026 Sources: CVE List NVD GHSA BDUCWE-200
5.3MEDIUM
NVD MITRE
EPSS Score
0.2%
Top 85.6%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6.

No summary for this CVE yet.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:LI:NA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:LConfidentiality
Low
I:NIntegrity
None
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-200

Affected Products

macro-fullcalendarxwiki-contrib
On-prem
Web & CMS Plugins / cms-core
full calendar macroxwiki
On-prem
Web & CMS Plugins / cms-core
Full Calendar MacroXWiki SAS
Mixed
Web & CMS Plugins / cms-core
org.xwiki.contrib:macro-fullcalendar-pomMavenOSS Libraries
xwiki-contriboss-projectWeb & CMS Pluginsaka xwiki contrib, xwiki-contrib
xwikioss-projectFRWeb & CMS Pluginsaka xwiki-platform, xwiki-commons
xwiki sascommercialWeb & CMS Plugins
mavenpackage-ecosystemOSS Libraries

Exploitability

Official Patch Available

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

MITRE ATT&CK

1 technique
Collection
View detailed technique mapping

References

https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m
github.com
https://github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884
github.com
https://jira.xwiki.org/browse/FULLCAL-82
jira.xwiki.org
and 5 more references View all →

Timeline

Published
Jan 10, 2026
Last Updated
Jan 29, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2025-65090 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows