Platform
java
Component
org.xwiki.contrib:macro-fullcalendar-pom
Fixed in
2.4.6
2.4.5
CVE-2025-65091 describes a critical SQL Injection vulnerability discovered in the XWiki Macro FullCalendar component. This flaw allows unauthorized users, including guest users, to potentially extract sensitive data from the database or initiate a denial-of-service (DoS) attack. The vulnerability affects versions prior to 2.4.5, and a fix is available in version 2.4.5.
The SQL Injection vulnerability in XWiki Macro FullCalendar poses a significant risk. Attackers can exploit this flaw by crafting malicious requests targeting the Calendar.JSONService page, which is accessible even to guest users. Successful exploitation could lead to the extraction of sensitive database information, such as user credentials, configuration details, or application data. Furthermore, attackers could leverage the SQL Injection to execute arbitrary commands on the database server, potentially leading to a complete compromise of the XWiki instance. The ability to launch a DoS attack adds another layer of potential disruption, as attackers could overload the database server with malicious queries, rendering the application unavailable to legitimate users.
Public details regarding active exploitation of CVE-2025-65091 are currently limited. However, the vulnerability's critical severity and ease of exploitation (guest user access) suggest a potential for future exploitation attempts. The vulnerability was disclosed publicly on 2026-01-09. Monitor XWiki installations for suspicious database activity and unusual error logs.
Exploit Status
EPSS
0.21% (43% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-65091 is to upgrade to XWiki Macro FullCalendar version 2.4.5 or later, which contains the necessary fix. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, a temporary workaround involves removing the Calendar.JSONService page. While this mitigates the vulnerability, it will also disable certain functionalities of the FullCalendar macro. Consider implementing Web Application Firewall (WAF) rules to filter out potentially malicious requests targeting the Calendar.JSONService endpoint. Regularly review XWiki configurations and access controls to ensure least privilege principles are enforced.
Actualice el macro Full Calendar de XWiki a la versión 2.4.5 o superior. Esta versión contiene una corrección para la vulnerabilidad de inyección SQL. La actualización se puede realizar a través del administrador de extensiones de XWiki.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-65091 is a critical SQL Injection vulnerability affecting XWiki Macro FullCalendar versions prior to 2.4.5. It allows unauthorized users to potentially extract data or launch DoS attacks.
If you are using XWiki Macro FullCalendar version 2.4.4 or earlier, you are vulnerable to this SQL Injection flaw. Upgrade to 2.4.5 to mitigate the risk.
The recommended fix is to upgrade to XWiki Macro FullCalendar version 2.4.5 or later. As a temporary workaround, remove the Calendar.JSONService page.
While there are currently no confirmed reports of active exploitation, the vulnerability's severity and ease of exploitation suggest a potential for future attacks.
Refer to the XWiki Jira issue for more information: https://jira.xwiki.org/browse/FULLCAL-80 and https://jira.xwiki.org/browse/FULLCAL-81
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.