CVE-2025-0929

Critical

Published: 31 January 2025

Published

31 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0135 80.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

SQL injection vulnerability in TeamCal Neo, version 3.8.2. This could allow an attacker to retrieve, update and delete all database information by injecting a malicious SQL statement via the ‘abs’ parameter in ‘/teamcal/src/index.php’.

Security Summary

CVE-2025-0929 is a SQL injection vulnerability (CWE-89) in TeamCal Neo version 3.8.2. The issue arises from insufficient input validation in the 'abs' parameter of the '/teamcal/src/index.php' endpoint, allowing attackers to inject malicious SQL statements.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low attack complexity, no privileges or user interaction required, and unchanged impact scope. Unauthenticated attackers can fully compromise the database by retrieving, updating, or deleting all information, resulting in high impacts to confidentiality, integrity, and availability.

The INCIBE-CERT advisory on multiple vulnerabilities in TeamCal Neo, available at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-teamcal-neo, provides further details on affected versions and recommended mitigations.

Details

CWE(s): CWE-89

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-teamcal-neo
cve-coordination@incibe.es