Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-66511

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3.

Published

2025-12-05T17:16:04.797

Last Modified

2025-12-10T16:14:27.230

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 4.8 (MEDIUM)

Weaknesses

Type: Secondary
CWE-330

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	calendar	< 6.0.3	Yes

References

https://github.com/nextcloud/calendar/commit/8de14ae87f321f5f09280d9895a27d54d24f33fb Patch ([email protected])
https://github.com/nextcloud/calendar/pull/7659 Issue Tracking ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-whm3-vv55-gf27 Patch, Vendor Advisory ([email protected])
https://hackerone.com/reports/3385434 Permissions Required, Vendor Advisory ([email protected])