CVE-2025-65091: XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService

January 9, 2026 (updated January 11, 2026)

Anyone who has view rights on the Calendar.JSONService page, including guest users can exploit this vulnerability by accessing database info or starting a DoS attack.

References

github.com/advisories/GHSA-2g22-wg49-fgv5
github.com/xwiki-contrib/macro-fullcalendar
github.com/xwiki-contrib/macro-fullcalendar/commit/5fdcf06a05015786492fda69b4d9dea5460cc994
github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-2g22-wg49-fgv5
nvd.nist.gov/vuln/detail/CVE-2025-65091

Code Behaviors & Features

Detect and mitigate CVE-2025-65091 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →