CVE-2025-65090 in macro-fullcalendar
Summary
by MITRE • 01/10/2026
XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/12/2026
The vulnerability identified as CVE-2025-65090 affects the XWiki Full Calendar Macro component, which is designed to display wiki objects on calendar interfaces. This macro serves as a bridge between wiki content and calendar visualization, allowing users to view scheduled events and related information. The flaw exists in versions prior to 2.4.6 where insufficient access controls and data filtering mechanisms were implemented within the Calendar.JSONService page. This service is responsible for exposing calendar data to users who interact with the calendar interface, creating a potential pathway for unauthorized information disclosure.
The technical exploitation of this vulnerability occurs through the Calendar.JSONService page which, despite having access controls, fails to properly validate user permissions before exposing database information. The flaw specifically affects users who possess viewing rights to the Calendar.JSONService page, including unauthenticated guest users who can access the service without proper authentication. This represents a classic case of insufficient authorization checks where the system assumes that users with basic viewing rights should not be able to access deeper database information. The vulnerability is classified as a data leak or information disclosure issue that falls under CWE-200, which deals with information exposure through improper error handling or insufficient access control mechanisms.
The operational impact of this vulnerability extends beyond simple data exposure, as it allows attackers to gather sensitive information about wiki objects, user activities, and potentially organizational data structures. While passwords are specifically excluded from the leaked information, the exposure of database content including object metadata, user interactions, and calendar event details could provide attackers with valuable intelligence for further exploitation attempts. This vulnerability particularly affects organizations that rely on XWiki for collaborative environments where calendar data might contain confidential scheduling information, project timelines, or user-related activities. The issue creates a persistent risk for organizations where guest access is permitted, as it allows unauthenticated users to systematically gather information about wiki content without proper authorization.
Mitigation efforts should focus on immediate deployment of the patched version 2.4.6 which addresses the access control deficiencies in the Calendar.JSONService page. Organizations should implement comprehensive access control reviews to ensure that all service endpoints properly validate user permissions before exposing any database information. The fix should include enhanced authentication checks and proper data filtering mechanisms that prevent unauthorized access to backend information. Additionally, security teams should conduct regular audits of service endpoints to identify similar access control gaps that might exist in other components of the XWiki platform. This vulnerability demonstrates the importance of implementing defense-in-depth strategies and proper access control validation, aligning with ATT&CK technique T1213 for Data from Information Repositories, where attackers can gather information from repository systems through insufficient access controls. Organizations should also consider implementing network segmentation and monitoring for unusual access patterns to calendar services that might indicate exploitation attempts.