A vulnerability was found in calcom cal.diy up to 4.9.4 and classified as critical . The affected element is the function validateUrlForSSRF of the file apps/web/app/api/logo/route.ts of the component Logo API . The manipulation results in server-side request forgery. This vulnerability is known as CVE-2026-9304 . It is possible to launch the attack remotely. Furthermore, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.