CVE-2025-66489

Exploit

EPSS 0.79%
Veröffentlicht 03.12.2025 19:44:35
Zuletzt bearbeitet 13.02.2026 16:03:36
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Cal.com Authentication Bypass via bad TOTP + password checks

Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cal ≫ Cal.Com Version < 5.9.8

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.79%	0.514

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-303 Incorrect Implementation of Authentication Algorithm

The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

https://github.com/calcom/cal.com/security/advisories/GHSA-9r3w-4j8q-pw98

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-66489

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-66489

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-66489

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-66489