CVE-2026-40308

Source
https://cve.org/CVERecord?id=CVE-2026-40308
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40308.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40308
Aliases
Published
2026-04-16T21:30:52.401Z
Modified
2026-07-08T08:15:05.038240539Z
Severity
  • 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog
Details

My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mcajaxmcjsaction AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parsestr() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switchtoblog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switchtoblog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40308.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-639"
    ]
}
References

Affected packages

Git / github.com/joedolson/my-calendar

Affected ranges

Type
GIT
Repo
https://github.com/joedolson/my-calendar
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.7.7"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

3.*
3.2.0-RC1
v.*
v.3.0.6
v3.*
v3.0.0
v3.0.1
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.15
v3.0.16
v3.0.17
v3.0.18
v3.0.3
v3.0.4
v3.0.5
v3.0.7
v3.0.8
v3.0.9
v3.1.0
v3.1.1
v3.1.10
v3.1.11
v3.1.12
v3.1.13
v3.1.14
v3.1.15
v3.1.16
v3.1.17
v3.1.18
v3.1.2
v3.1.3
v3.1.4
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.2.0
v3.2.0-beta
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.2.15
v3.2.16
v3.2.17
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.8
v3.2.9
v3.3.0
v3.3.0-RC1
v3.3.0-RC2
v3.3.0-RC3
v3.3.0-RC4
v3.3.0-alpha-2
v3.3.0-beta-1
v3.3.1
v3.3.10
v3.3.11
v3.3.12
v3.3.13
v3.3.14
v3.3.15
v3.3.16
v3.3.17
v3.3.18
v3.3.19
v3.3.2
v3.3.20
v3.3.21
v3.3.22
v3.3.23
v3.3.24
v3.3.24.1
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.4.0
v3.4.0-RC-1
v3.4.0-RC-2
v3.4.0-RC-3
v3.4.0-RC-4
v3.4.0-beta-1
v3.4.0-beta-2
v3.4.0-beta-3
v3.4.1
v3.4.10
v3.4.11
v3.4.12
v3.4.13
v3.4.14
v3.4.15
v3.4.16
v3.4.17
v3.4.18
v3.4.19
v3.4.2
v3.4.20
v3.4.21
v3.4.3
v3.4.4
v3.4.5
v3.4.6
v3.4.7
v3.4.8
v3.4.9
v3.5.0
v3.5.0-alpha
v3.5.0-beta1
v3.5.0-beta2
v3.5.0-beta3
v3.5.0-rc1
v3.5.0-rc2
v3.5.1
v3.5.10
v3.5.11
v3.5.12
v3.5.13
v3.5.14
v3.5.15
v3.5.16
v3.5.17
v3.5.18
v3.5.19
v3.5.2
v3.5.20
v3.5.21
v3.5.3
v3.5.4
v3.5.5
v3.5.6
v3.5.7
v3.5.8
v3.5.9
v3.6.0
v3.6.0-RC1
v3.6.0-beta1
v3.6.1
v3.6.10
v3.6.11
v3.6.12
v3.6.13
v3.6.14
v3.6.15
v3.6.16
v3.6.2
v3.6.3
v3.6.4
v3.6.5
v3.6.6
v3.6.7
v3.6.8
v3.6.9
v3.7.0
v3.7.0-beta
v3.7.0-rc1
v3.7.1
v3.7.2
v3.7.3
v3.7.4
v3.7.5
v3.7.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40308.json"