Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1.
References
| Link | Resource |
|---|---|
| https://github.com/nextcloud/calendar/commit/f41650c3681fc4a4130eb883f5c0899c011326b3 | Patch |
| https://github.com/nextcloud/calendar/pull/7537 | Issue Tracking |
| https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7x2j-2674-fj95 | Patch Vendor Advisory |
| https://hackerone.com/reports/3275810 | Issue Tracking Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
09 Dec 2025, 16:36
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/nextcloud/calendar/commit/f41650c3681fc4a4130eb883f5c0899c011326b3 - Patch | |
| References | () https://github.com/nextcloud/calendar/pull/7537 - Issue Tracking | |
| References | () https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7x2j-2674-fj95 - Patch, Vendor Advisory | |
| References | () https://hackerone.com/reports/3275810 - Issue Tracking, Vendor Advisory | |
| First Time |
Nextcloud calendar
Nextcloud |
|
| CPE | cpe:2.3:a:nextcloud:calendar:6.0.0:rc4:*:*:*:*:*:* cpe:2.3:a:nextcloud:calendar:*:*:*:*:*:*:*:* cpe:2.3:a:nextcloud:calendar:6.0.0:rc1:*:*:*:*:*:* cpe:2.3:a:nextcloud:calendar:6.0.0:rc3:*:*:*:*:*:* cpe:2.3:a:nextcloud:calendar:6.0.0:rc2:*:*:*:*:*:* cpe:2.3:a:nextcloud:calendar:6.0.0:rc6:*:*:*:*:*:* cpe:2.3:a:nextcloud:calendar:6.0.0:rc5:*:*:*:*:*:* cpe:2.3:a:nextcloud:calendar:6.0.0:-:*:*:*:*:*:* |
05 Dec 2025, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-12-05 17:16
Updated : 2025-12-09 16:36
NVD link : CVE-2025-66546
Mitre link : CVE-2025-66546
CVE.ORG link : CVE-2025-66546
JSON object : View
Products Affected
nextcloud
- calendar
CWE
CWE-639
Authorization Bypass Through User-Controlled Key