CVE-2025-65091

Critical

Published: 10 January 2026

Published

10 January 2026

Modified

29 January 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0021 43.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting…

a DoS attack. This issue has been patched in version 2.4.5.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the SQL injection vulnerability by requiring input validation mechanisms at entry points like the Calendar.JSONService to block malicious payloads.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of flaws such as this SQL injection in the Full Calendar Macro by applying the patch to version 2.4.5.

SC-7 Boundary Protection partial match

prevent

Boundary protection with web application firewalls monitors and controls traffic to block SQL injection attempts on the vulnerable Calendar.JSONService endpoint.

Security SummaryAI

CVE-2025-65091 is a SQL injection vulnerability (CWE-89) in the XWiki Full Calendar Macro, a component that displays objects from the wiki on the calendar. The flaw affects versions prior to 2.4.5, where improper input handling in the macro enables exploitation via the Calendar.JSONService page.

Any network-accessible attacker with view access to the Calendar.JSONService page, including guest users and requiring no privileges (PR:N), can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). Exploitation grants high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) with changed scope (S:C), allowing database information disclosure or denial-of-service attacks, as reflected in its perfect CVSS v3.1 score of 10.0.

The issue was addressed in version 2.4.5 of the Full Calendar Macro. Official mitigation details are available in the GitHub security advisory (GHSA-2g22-wg49-fgv5) and the patching commit (5fdcf06a05015786492fda69b4d9dea5460cc994).

Details

CWE(s): CWE-89

Affected Products

xwiki

full calendar macro

≤ 2.4.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing XWiki Calendar.JSONService enables exploitation of public-facing application (T1190), database information disclosure (T1213.006), and DoS via application exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/xwiki-contrib/macro-fullcalendar/commit/5fdcf06a05015786492fda69b4d9dea5460cc994
Patch · security-advisories@github.com
https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-2g22-wg49-fgv5
Third Party Advisory · security-advisories@github.com