CVE-2025-23606 identifies a reflected cross-site scripting (XSS) vulnerability in the sebkay Calendi web application, affecting all versions up to and including 1.1.1. The vulnerability stems from improper neutralization of input during web page generation, meaning that user-supplied data is not correctly sanitized or encoded before being included in the HTML output. This allows attackers to craft malicious URLs or inputs that, when processed by the vulnerable application, cause arbitrary JavaScript code to execute in the context of the victim's browser session. Reflected XSS attacks typically require the victim to click a malicious link or visit a specially crafted page. Successful exploitation can lead to theft of session cookies, user impersonation, defacement, or redirection to malicious sites. Although no exploits are currently known in the wild, the vulnerability is publicly disclosed and unpatched, increasing the risk of future attacks. The affected product, Calendi, is a web-based calendar or scheduling tool developed by sebkay, used in various organizational contexts. The lack of a CVSS score necessitates an assessment based on impact and exploitability factors. The vulnerability impacts confidentiality and integrity primarily, with moderate impact on availability. Exploitation is straightforward and does not require authentication but does require user interaction. The scope includes all deployments of Calendi up to version 1.1.1. The vulnerability was published on January 22, 2025, with no patch currently available. Organizations using Calendi should prioritize remediation and implement compensating controls to mitigate risk.

The primary impact of CVE-2025-23606 is on the confidentiality and integrity of user sessions and data within affected Calendi deployments. An attacker exploiting this reflected XSS vulnerability can execute arbitrary JavaScript in the context of a victim's browser, potentially stealing session cookies, credentials, or other sensitive information. This can lead to unauthorized access to user accounts and sensitive calendar or scheduling information. Additionally, attackers may perform actions on behalf of users, such as modifying calendar entries or injecting malicious content, undermining data integrity. While availability impact is limited, successful exploitation can facilitate phishing or malware distribution campaigns, indirectly affecting organizational security posture. The vulnerability's ease of exploitation and lack of required authentication increase its risk profile. Organizations relying on Calendi for scheduling or collaboration may face reputational damage, compliance violations, and operational disruption if exploited. The absence of known exploits in the wild currently limits immediate impact but does not reduce the urgency for mitigation given the public disclosure and potential for rapid weaponization.

To mitigate CVE-2025-23606, organizations should first monitor vendor communications for patches or updates addressing this vulnerability and apply them promptly once available. In the interim, implement strict input validation and output encoding on all user-supplied data to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. Review and harden web application firewall (WAF) rules to detect and block malicious payloads targeting reflected XSS vectors. Educate users to avoid clicking suspicious links and implement multi-factor authentication (MFA) to limit the impact of stolen credentials. Conduct regular security assessments and penetration testing focusing on input handling and XSS vulnerabilities. Additionally, consider isolating the Calendi application within segmented network zones to limit lateral movement if compromised. Logging and monitoring for unusual user activity or error patterns can aid in early detection of exploitation attempts. Finally, developers should adopt secure coding practices, including proper sanitization libraries and frameworks that automatically handle output encoding.