Security: calcom/cal.com
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Authentication Bypass via Unvalidated Email in Custom JWT CallbackGHSA-7hg4-x4pr-3hrg published
Jan 13, 2026 by pedroccastroCritical -
Cal.com affected by CVE-2025-55182 and CVE-2025-66478GHSA-qjx2-5xqp-cpf4 published
Dec 7, 2025 by keithwillcodeCritical -
Authentication Bypass via bad TOTP + password checksGHSA-9r3w-4j8q-pw98 published
Dec 3, 2025 by emrysalCritical -
XSS via booking view questionsGHSA-vgj7-76cw-h6f8 published
Dec 4, 2024 by PeerRichHigh -
Repository takeover via `.github/workflows/pr.yml`GHSA-p3f6-52gv-cj7m published
Apr 8, 2024 by keithwillcodeCritical -
Not expiring old sessions after enabling 2FAGHSA-cpf2-q635-xrwx published
Jul 21, 2023 by ConnorGarganoLow