CVE-2026-29052: HumHub Calendar Module XSS Vulnerability

CVE-2026-29052 Overview

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Calendar module for HumHub, a popular open-source social networking platform. The vulnerability exists in the Event Types functionality within the HumHub Calendar module, which enables users to create one-time or recurring events, manage attendee invitations, and track scheduled activities. Prior to version 1.8.11, malicious JavaScript code can be injected and stored through Event Types, impacting users who view events created by an administrative account.

Critical Impact

Attackers with administrative access can inject persistent malicious scripts that execute in the browsers of users viewing calendar events, potentially leading to session hijacking, credential theft, or further privilege escalation within the HumHub platform.

Affected Products

• HumHub Calendar Module versions prior to 1.8.11
• HumHub installations utilizing the Calendar module with Event Types functionality
• All users viewing events created by compromised or malicious administrative accounts

Discovery Timeline

• 2026-03-05 - CVE-2026-29052 published to NVD
• 2026-03-05 - Last updated in NVD database

Technical Details for CVE-2026-29052

Vulnerability Analysis

This Stored Cross-Site Scripting (XSS) vulnerability (CWE-79) affects the Event Types functionality within the HumHub Calendar module. Stored XSS is particularly dangerous because the malicious payload persists in the application's database, executing every time a user views the affected content. In this case, when an administrator creates or modifies Event Types with malicious JavaScript payloads, these scripts are stored and subsequently executed in the browser context of any user who views events associated with those types.

The attack requires the adversary to have administrative privileges to create or modify Event Types, but the impact extends to all users of the HumHub platform who interact with calendar events. This creates a trust exploitation scenario where legitimate users viewing seemingly harmless calendar entries become victims of the injected scripts.

Root Cause

The root cause of this vulnerability is insufficient input validation and output encoding in the Event Types handling code within the HumHub Calendar module. When administrators create or edit Event Types, the module fails to properly sanitize user-supplied input before storing it in the database and fails to encode the data when rendering it in user interfaces. This allows JavaScript code embedded in Event Type fields to be interpreted and executed by browsers rather than being displayed as plain text.

Attack Vector

The attack vector is network-based, requiring no user interaction beyond normal platform usage. An attacker with administrative access to the HumHub Calendar module can inject malicious JavaScript code into Event Type definitions. When other users, including those without administrative privileges, view calendar events that utilize these compromised Event Types, the injected script executes within their browser session. This can enable:

• Session token theft and account takeover
• Keylogging of user inputs within the HumHub interface
• Redirection to malicious websites
• Manipulation of displayed content to facilitate social engineering
• Propagation of the attack by using stolen sessions to inject additional malicious content

The vulnerability mechanism involves improper handling of user input in Event Type fields. When an administrator saves an Event Type containing script tags or event handlers, the Calendar module stores this content directly in the database. Upon retrieval and rendering for other users, the lack of proper output encoding allows the browser to interpret and execute the malicious code. For detailed technical information, refer to the GitHub Security Advisory GHSA-gqj3-pmp2-mrx8.

Detection Methods for CVE-2026-29052

Indicators of Compromise

• Unusual JavaScript code or HTML tags present in Event Type names or descriptions in the database
• Browser developer console showing unexpected script execution when viewing calendar events
• Reports of unexpected pop-ups, redirects, or behavior when users access calendar functionality
• Server logs indicating requests to external domains originating from the calendar module pages

Detection Strategies

• Implement Content Security Policy (CSP) headers to detect and block inline script execution, which would generate violation reports
• Monitor database tables storing Event Type information for suspicious patterns including <script>, onerror=, onclick=, and similar XSS payloads
• Deploy Web Application Firewall (WAF) rules to detect and log XSS patterns in requests to Calendar module endpoints
• Conduct regular security audits of Event Type content using automated XSS detection tools

Monitoring Recommendations

• Enable logging for all administrative actions within the HumHub Calendar module, particularly Event Type creation and modification
• Configure alerting for CSP violations that may indicate attempted or successful XSS exploitation
• Monitor user session patterns for anomalies that could indicate session hijacking following XSS attacks
• Implement browser-based security monitoring to detect unauthorized script execution on HumHub pages

How to Mitigate CVE-2026-29052

Immediate Actions Required

• Upgrade the HumHub Calendar module to version 1.8.11 or later immediately
• Review existing Event Types for any suspicious or unexpected content that may contain malicious scripts
• Audit administrative account access and ensure only trusted personnel have Event Type modification privileges
• Implement Content Security Policy headers to provide defense-in-depth against XSS attacks

Patch Information

HumHub has addressed this vulnerability in Calendar module version 1.8.11. Organizations should upgrade to this version or later to remediate the Stored XSS vulnerability. The patch includes proper input validation and output encoding for Event Type data. Release information is available at the GitHub Calendar Release v1.8.11. Additional security details can be found in the GitHub Security Advisory GHSA-gqj3-pmp2-mrx8.

Workarounds

• Restrict administrative access to the Calendar module to only essential personnel until the patch can be applied
• Implement Web Application Firewall rules to filter XSS payloads in requests targeting Calendar module endpoints
• Deploy Content Security Policy headers with strict directives to prevent inline script execution
• Manually review and sanitize all existing Event Types to remove any potentially malicious content

# Configuration example - Add Content Security Policy headers to your web server
# Apache configuration example (.htaccess or httpd.conf)
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';"

# Nginx configuration example
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';";