CVE-2025-65091
Published: 10 January 2026
Summary
CVE-2025-65091 is a critical-severity SQL Injection (CWE-89) vulnerability in Xwiki Full Calendar Macro. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the SQL injection vulnerability by requiring input validation mechanisms at entry points like the Calendar.JSONService to block malicious payloads.
Mandates identification, reporting, and correction of flaws such as this SQL injection in the Full Calendar Macro by applying the patch to version 2.4.5.
Boundary protection with web application firewalls monitors and controls traffic to block SQL injection attempts on the vulnerable Calendar.JSONService endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing XWiki Calendar.JSONService enables exploitation of public-facing application (T1190), database information disclosure (T1213.006), and DoS via application exploitation (T1499.004).
NVD Description
XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting…
more
a DoS attack. This issue has been patched in version 2.4.5.
Deeper analysisAI
CVE-2025-65091 is a SQL injection vulnerability (CWE-89) in the XWiki Full Calendar Macro, a component that displays objects from the wiki on the calendar. The flaw affects versions prior to 2.4.5, where improper input handling in the macro enables exploitation via the Calendar.JSONService page.
Any network-accessible attacker with view access to the Calendar.JSONService page, including guest users and requiring no privileges (PR:N), can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). Exploitation grants high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) with changed scope (S:C), allowing database information disclosure or denial-of-service attacks, as reflected in its perfect CVSS v3.1 score of 10.0.
The issue was addressed in version 2.4.5 of the Full Calendar Macro. Official mitigation details are available in the GitHub security advisory (GHSA-2g22-wg49-fgv5) and the patching commit (5fdcf06a05015786492fda69b4d9dea5460cc994).
Details
- CWE(s)