CVE-2025-66489 — CRITICAL (9.8)

Q: How severe is CVE-2025-66489?

CVE-2025-66489 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2025-66489?

Check the references section above for vendor advisories and patch information. Affected products include: Cal Cal.Com.

Vulnerability Description

Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Cal	Cal.Com	< 5.9.8

Related Weaknesses (CWE)

CWE-303

References

https://github.com/calcom/cal.com/security/advisories/GHSA-9r3w-4j8q-pw98Third Party AdvisoryExploit

FAQ

What is CVE-2025-66489?

CVE-2025-66489 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gainin...

How severe is CVE-2025-66489?

CVE-2025-66489 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2025-66489?

Check the references section above for vendor advisories and patch information. Affected products include: Cal Cal.Com.