CVE-2026-29052

The Calendar module for HumHub enables users to create one-time or recurring events, manage attendee invitations, and efficiently track all scheduled activities. Prior to version 1.8.11, a Stored Cross-Site Scripting (XSS) vulnerability in the Event Types of the HumHub Calendar module impacts users viewing events created by an administrative account. This issue has been patched in version 1.8.11.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/humhub/calendar/releases/tag/v1.8.11	Product Release Notes
https://github.com/humhub/calendar/security/advisories/GHSA-gqj3-pmp2-mrx8	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:humhub:calendar:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-05 06:16

Updated : 2026-03-09 18:40

NVD link : CVE-2026-29052

Mitre link : CVE-2026-29052

CVE.ORG link : CVE-2026-29052

JSON object : View

Products Affected

humhub

calendar

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-29052", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-05T06:16:50.260", "references": [{"url": "https://github.com/humhub/calendar/releases/tag/v1.8.11", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/humhub/calendar/security/advisories/GHSA-gqj3-pmp2-mrx8", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The Calendar module for HumHub enables users to create one-time or recurring events, manage attendee invitations, and efficiently track all scheduled activities. Prior to version 1.8.11, a Stored Cross-Site Scripting (XSS) vulnerability in the Event Types of the HumHub Calendar module impacts users viewing events created by an administrative account. This issue has been patched in version 1.8.11."}, {"lang": "es", "value": "El m\u00f3dulo de Calendario para HumHub permite a los usuarios crear eventos \u00fanicos o recurrentes, gestionar invitaciones de asistentes y rastrear eficientemente todas las actividades programadas. Antes de la versi\u00f3n 1.8.11, una vulnerabilidad de cross-site scripting (XSS) almacenado en los Tipos de Evento del m\u00f3dulo de Calendario de HumHub impacta a los usuarios que ven eventos creados por una cuenta administrativa. Este problema ha sido parcheado en la versi\u00f3n 1.8.11."}], "lastModified": "2026-03-09T18:40:51.523", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:humhub:calendar:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1B7B6BC6-26AE-416B-B48F-9FD65F2897BE", "versionEndExcluding": "1.8.11"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}