CVE-2026-9304 | calcom cal.diy up to 4.9.4 Logo API route.ts validateUrlForSSRF server-side request forgery

May 22, 2026 Yanac

A vulnerability was found in calcom cal.diy up to 4.9.4 and classified as critical. The affected element is the function validateUrlForSSRF of the file apps/web/app/api/logo/route.ts of the component Logo API. The manipulation results in server-side request forgery.

This vulnerability is known as CVE-2026-9304. It is possible to launch the attack remotely. Furthermore, an exploit is available.

The vendor was contacted early about this disclosure but did not respond in any way.VulDB Recent EntriesRead More