CVE-2025-66511

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-66511

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66511.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-66511

Aliases

GHSA-whm3-vv55-gf27

Published

2025-12-05T16:42:30.236Z

Modified

2026-04-02T13:02:24.552975Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Nextcloud Calendar app used predictable proposal participant tokens

Details

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3.

Database specific

{
    "cwe_ids": [
        "CWE-330"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66511.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/nextcloud/calendar

Affected ranges

Type: GIT
Repo: https://github.com/nextcloud/calendar
Events: Introduced

744644f967574066f0fe6f705dbffcb7fec64690

Fixed

863b364fffcc304feecf71b80c2c706fd071aa7e

Affected versions

v6.*

v6.0.0

v6.0.0-rc.1

v6.0.0-rc.2

v6.0.0-rc.3

v6.0.0-rc.4

v6.0.0-rc.5

v6.0.0-rc.6

v6.0.1

v6.0.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66511.json"