GHSA-2g22-wg49-fgv5

Suggest an improvement
Source
https://github.com/advisories/GHSA-2g22-wg49-fgv5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-2g22-wg49-fgv5/GHSA-2g22-wg49-fgv5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2g22-wg49-fgv5
Aliases
Published
2026-01-09T18:41:47Z
Modified
2026-01-09T19:26:17.137249Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService
Details

Impact

Anyone who has view rights on the Calendar.JSONService page, including guest users can exploit this vulnerability by accessing database info or starting a DoS attack.

Workarounds

Remove the Calendar.JSONService page. This will however break some functionalities.

References

Jira issue: * FULLCAL-80: SQL injection through Calendar.JSONService * FULLCAL-81: SQL injection through Calendar.JSONService still exists

For more information

If there are any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email Security Mailing List

Database specific 
{
    "severity": "CRITICAL",
    "github_reviewed_at": "2026-01-09T18:41:47Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "nvd_published_at": null,
    "github_reviewed": true
}
References

Affected packages

Maven / org.xwiki.contrib:macro-fullcalendar-pom

Package

Name
org.xwiki.contrib:macro-fullcalendar-pom
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.contrib/macro-fullcalendar-pom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-2g22-wg49-fgv5/GHSA-2g22-wg49-fgv5.json"

last_known_affected_version_range

"<= 2.4.3"