The vulnerability identified as CVE-2025-65090 affects the macro-fullcalendar component of the xwiki-contrib project, specifically versions prior to 2.4.6. This component integrates calendar functionalities within XWiki, displaying wiki objects on a calendar interface. The flaw arises because users with the ability to view the Calendar.JSONService page—including unauthenticated guest users—can access sensitive database information through this service. Although passwords are excluded, other sensitive data stored in the database can be exposed, constituting an information disclosure vulnerability categorized under CWE-200. The vulnerability is exploitable remotely without any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 5.3, reflecting a medium severity primarily due to the confidentiality impact without affecting integrity or availability. The vulnerability was publicly disclosed in January 2026 and has been addressed by patching in version 2.4.6 of the macro-fullcalendar. No known exploits have been reported in the wild, but the ease of exploitation and the exposure of sensitive information make timely patching essential. The vulnerability's root cause is insufficient access control on the Calendar.JSONService endpoint, allowing unauthorized data retrieval.

For European organizations, this vulnerability poses a risk of sensitive information leakage from XWiki deployments using the macro-fullcalendar component. Although passwords are not exposed, other confidential data stored in the wiki database could be accessed by unauthorized parties, potentially leading to information disclosure that could facilitate further attacks such as social engineering or targeted intrusions. Organizations relying on XWiki for collaboration, documentation, or knowledge management could face reputational damage, compliance issues under GDPR due to unauthorized data exposure, and operational risks if sensitive business information is leaked. The vulnerability's remote and unauthenticated exploitability increases the likelihood of opportunistic scanning and exploitation, especially in publicly accessible XWiki instances. The impact is more pronounced for sectors with strict data protection requirements, such as finance, healthcare, and government agencies within Europe.

The primary and most effective mitigation is to upgrade the macro-fullcalendar component to version 2.4.6 or later, where the vulnerability is patched. Organizations should audit their XWiki instances to identify affected versions and prioritize patching accordingly. If immediate upgrading is not feasible, restrict access to the Calendar.JSONService page by implementing network-level controls such as IP whitelisting or VPN access, and adjust XWiki permissions to limit viewing rights to trusted authenticated users only. Additionally, monitor logs for unusual access patterns to the Calendar.JSONService endpoint to detect potential exploitation attempts. Conduct regular security assessments and ensure that sensitive data stored in the wiki is classified and access-controlled appropriately. Employ web application firewalls (WAFs) with rules targeting suspicious requests to the vulnerable endpoint as a temporary protective measure.