CVE-2025-65091: SQL Injection in XWiki Macro FullCalendar
Platform
java
Component
org.xwiki.contrib:macro-fullcalendar-pom
Fixed in
2.4.6
2.4.5
CVE-2025-65091 describes a critical SQL Injection vulnerability discovered in the XWiki Macro FullCalendar component. This flaw allows unauthorized users, including guest users, to potentially extract sensitive data from the database or initiate a denial-of-service (DoS) attack. The vulnerability affects versions prior to 2.4.5, and a fix is available in version 2.4.5.
Detect this CVE in your project
Upload your pom.xml file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
The SQL Injection vulnerability in XWiki Macro FullCalendar poses a significant risk. Attackers can exploit this flaw by crafting malicious requests targeting the Calendar.JSONService page, which is accessible even to guest users. Successful exploitation could lead to the extraction of sensitive database information, such as user credentials, configuration details, or application data. Furthermore, attackers could leverage the SQL Injection to execute arbitrary commands on the database server, potentially leading to a complete compromise of the XWiki instance. The ability to launch a DoS attack adds another layer of potential disruption, as attackers could overload the database server with malicious queries, rendering the application unavailable to legitimate users.
Exploitation Context
Public details regarding active exploitation of CVE-2025-65091 are currently limited. However, the vulnerability's critical severity and ease of exploitation (guest user access) suggest a potential for future exploitation attempts. The vulnerability was disclosed publicly on 2026-01-09. Monitor XWiki installations for suspicious database activity and unusual error logs.
Threat Intelligence
Exploit Status
EPSS
0.21% (43% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2025-65091 is to upgrade to XWiki Macro FullCalendar version 2.4.5 or later, which contains the necessary fix. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, a temporary workaround involves removing the Calendar.JSONService page. While this mitigates the vulnerability, it will also disable certain functionalities of the FullCalendar macro. Consider implementing Web Application Firewall (WAF) rules to filter out potentially malicious requests targeting the Calendar.JSONService endpoint. Regularly review XWiki configurations and access controls to ensure least privilege principles are enforced.
How to fix
Actualice el macro Full Calendar de XWiki a la versión 2.4.5 o superior. Esta versión contiene una corrección para la vulnerabilidad de inyección SQL. La actualización se puede realizar a través del administrador de extensiones de XWiki.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2025-65091 — SQL Injection in XWiki Macro FullCalendar?
CVE-2025-65091 is a critical SQL Injection vulnerability affecting XWiki Macro FullCalendar versions prior to 2.4.5. It allows unauthorized users to potentially extract data or launch DoS attacks.
Am I affected by CVE-2025-65091 in XWiki Macro FullCalendar?
If you are using XWiki Macro FullCalendar version 2.4.4 or earlier, you are vulnerable to this SQL Injection flaw. Upgrade to 2.4.5 to mitigate the risk.
How do I fix CVE-2025-65091 in XWiki Macro FullCalendar?
The recommended fix is to upgrade to XWiki Macro FullCalendar version 2.4.5 or later. As a temporary workaround, remove the Calendar.JSONService page.
Is CVE-2025-65091 being actively exploited?
While there are currently no confirmed reports of active exploitation, the vulnerability's severity and ease of exploitation suggest a potential for future attacks.
Where can I find the official XWiki advisory for CVE-2025-65091?
Refer to the XWiki Jira issue for more information: https://jira.xwiki.org/browse/FULLCAL-80 and https://jira.xwiki.org/browse/FULLCAL-81
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.