CVE-2025-66489CRITICAL 9.8EPSS p51.4%

CVE-2025-66489CVE-2025-66489

Description

Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.79% probability of exploitation · percentile 51.4% · 2026-06-19T12:03:05Z
Published2025-12-03
Last modified2026-02-13

Underlying weaknesses· 1

CWE-303

References

  1. https://github.com/calcom/cal.com/security/advisories/GHSA-9r3w-4j8q-pw98

1

TypeTargetConfidenceTier
WeaknessIncorrect Implementation of Authentication Algorithmcwe-3030%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-23478
CVE
CVE-2025-46247
CVE
CVE-2025-46241
CVE
CVE-2026-8495
CVE
CVE-2025-32310
CVE
CVE-2025-58587
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.