CVE-2026-9304— calcom cal.diy Logo API route.ts validateUrlForSSRF server-side request forgery

CVSS 5.0 · Medium EPSS 0.04% · P12 Updated May 26, 2026

Possible ATT&CK Techniques 1AI

T1190 · Exploit Public-Facing Application

Affected Version Matrix 5

Vendor	Product	Version Range	Status
calcom	cal.diy	`4.9.0`	affected
		`4.9.1`	affected
		`4.9.2`	affected
		`4.9.3`	affected
		`4.9.4`	affected

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-9304

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

calcom cal.diy Logo API route.ts validateUrlForSSRF server-side request forgery

Source: NVD (National Vulnerability Database)

Vulnerability Description

A security flaw has been discovered in calcom cal.diy up to 4.9.4. The affected element is the function validateUrlForSSRF of the file apps/web/app/api/logo/route.ts of the component Logo API. The manipulation results in server-side request forgery. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Source: NVD (National Vulnerability Database)

Vulnerability Type

服务端请求伪造(SSRF)

Source: NVD (National Vulnerability Database)

Vulnerability Title

cal.diy 代码问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

cal.diy是Cal开源的一个开源日程调度平台。 cal.diy 4.9.4及之前版本存在代码问题漏洞，该漏洞源于Logo API组件文件apps/web/app/api/logo/route.ts中函数validateUrlForSSRF，可能导致服务端请求伪造。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
calcom	cal.diy	4.9.0	`cpe:2.3:a:calcom:cal.diy::::::::`

II. Public POCs for CVE-2026-9304

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-9304

请登录查看更多情报信息。

Proof of Concept for CVE-2026-9304 (1)

🔗 SSRF Protection Bypass via HTTP Redirects (TOCTOU) in Logo API · GitHub Read full article exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-9304

IV. Related Vulnerabilities

Same product: cal.diy

Same vendor: calcom

Same weakness: CWE-918

V. Comments for CVE-2026-9304

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-9304— calcom cal.diy Logo API route.ts validateUrlForSSRF server-side request forgery

Possible ATT&CK Techniques 1AI

Affected Version Matrix 5

I. Basic Information for CVE-2026-9304

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-9304

III. Intelligence Information for CVE-2026-9304

Proof of Concept for CVE-2026-9304 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-9304

Leave a comment