CVE-2026-29052 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Calendar module of HumHub, an open-source social network platform. The vulnerability exists in versions prior to 1.8.11 and relates specifically to the handling of Event Types within the calendar. An attacker can exploit improper neutralization of input during web page generation (CWE-79) by injecting malicious JavaScript code into event type fields. When other users, particularly those viewing events created by an administrative account, access the calendar, the injected script executes in their browsers. This can lead to unauthorized actions such as session hijacking, defacement, or redirection to malicious sites. The vulnerability requires no authentication or user interaction, making it easier to exploit remotely. However, the impact is limited to users who view the affected events, and the vulnerability does not affect the availability or integrity of the system directly. The issue was publicly disclosed on March 5, 2026, and has been patched in HumHub Calendar module version 1.8.11. No known exploits have been reported in the wild, but the medium CVSS score of 6.9 reflects the potential risk if exploited. The vulnerability highlights the importance of proper input validation and output encoding in web applications to prevent XSS attacks.

The primary impact of CVE-2026-29052 is on the confidentiality of user data within organizations using the HumHub Calendar module. Successful exploitation allows attackers to execute arbitrary scripts in the context of the victim’s browser, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the user. While the vulnerability does not affect system availability or integrity directly, it undermines user trust and can facilitate further attacks such as phishing or malware delivery. Organizations with administrative users creating calendar events are at higher risk, as the vulnerability is triggered by events created by such accounts. The lack of authentication or user interaction requirements increases the risk of automated exploitation. Although no active exploits are known, the widespread use of HumHub in community and enterprise environments means that many organizations could be targeted if attackers develop exploit code. Failure to patch could lead to data breaches, reputational damage, and compliance issues related to user data protection.

1. Immediately upgrade the HumHub Calendar module to version 1.8.11 or later, where the vulnerability is patched. 2. Implement strict input validation and output encoding on all user-supplied data fields, especially those rendered in web pages, to prevent injection of malicious scripts. 3. Restrict administrative privileges to trusted personnel and monitor event creation activities for suspicious inputs. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5. Conduct regular security audits and penetration testing focused on web application vulnerabilities, including XSS. 6. Educate users about the risks of clicking on suspicious links or interacting with unexpected calendar events. 7. Monitor logs and network traffic for unusual activity that could indicate exploitation attempts. 8. Consider deploying web application firewalls (WAF) with rules designed to detect and block XSS payloads targeting the calendar module. These steps collectively reduce the risk of exploitation and limit the impact if an attack occurs.