Vulnerability DatabaseCVE-2025-66511
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-66511
December 05, 2025
Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3.
Affected Packages
https://github.com/nextcloud/calendar.git (GITHUB):
Affected version(s) >=v1.0 <v6.0.3
Fix Suggestion:
Update to version v6.0.3
Related Resources (4)
https://github.com/nextcloud/calendar/pull/7659
https://hackerone.com/reports/3385434
https://github.com/nextcloud/calendar/commit/8de14ae87f321f5f09280d9895a27d54d24f33fb
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-whm3-vv55-gf27
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.8
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Use of Insufficiently Random Values
CWE-330
EPSS
Base Score:
0.02