Headline
GHSA-637h-ch24-xp9m: XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService
Impact
Anyone who has view rights on the Calendar.JSONService page, including guest users can exploit this vulnerability by accessing database info, with the exception of passwords.
Workarounds
Remove the Calendar.JSONService page. This will however break some functionalities.
References
Jira issue:
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-65090
XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService
Package
maven org.xwiki.contrib:macro-fullcalendar-pom (Maven)
Affected versions
<= 2.4.5
Description
Published to the GitHub Advisory Database
Jan 9, 2026
EPSS score