CVE-2025-65091 is a critical SQL injection vulnerability identified in the xwiki-contrib macro-fullcalendar plugin, which is used to display wiki objects on a calendar interface. The flaw exists in versions prior to 2.4.5 and arises from improper neutralization of special elements in SQL commands (CWE-89). Specifically, any user with permission to view the Calendar.JSONService page—including unauthenticated guest users—can inject malicious SQL queries. This vulnerability allows attackers to access sensitive database information, manipulate data integrity, or cause denial of service by overwhelming the database with crafted queries. The vulnerability is remotely exploitable without requiring authentication or user interaction, significantly increasing its risk profile. The vendor has addressed this issue in version 2.4.5, but systems running older versions remain vulnerable. Although no public exploits have been observed in the wild, the CVSS v3.1 score of 10.0 reflects the maximum severity, indicating a critical threat to confidentiality, integrity, and availability with a wide attack surface and ease of exploitation.

For European organizations, exploitation of this vulnerability could lead to severe data breaches, exposing sensitive corporate or personal data stored in XWiki databases. The integrity of data could be compromised, allowing attackers to alter or delete critical information, potentially disrupting business operations. Additionally, attackers could launch denial of service attacks against the database backend, causing service outages and impacting availability of wiki-based collaboration tools. Organizations in sectors such as government, finance, healthcare, and critical infrastructure that rely on XWiki for documentation or collaboration are particularly at risk. The fact that guest users can exploit this vulnerability means that external attackers do not need valid credentials, increasing the likelihood of attacks. The vulnerability could also be leveraged as a foothold for further network compromise or lateral movement within affected environments.

Immediate upgrade of the macro-fullcalendar plugin to version 2.4.5 or later is the primary and most effective mitigation. Organizations should audit their XWiki installations to identify any instances running vulnerable versions. Restrict access to the Calendar.JSONService page by applying stricter access controls or network segmentation to limit exposure to untrusted users. Implement Web Application Firewalls (WAFs) with SQL injection detection rules to provide an additional layer of defense. Regularly monitor logs for unusual or suspicious SQL queries targeting the calendar service endpoints. Conduct security assessments and penetration testing focused on XWiki components to detect any residual vulnerabilities. Educate administrators and developers on secure coding practices to prevent similar injection flaws in custom macros or plugins.