A vulnerability identified as problematic has been detected in calcom cal.diy up to 4.9.4 . Affected by this issue is the function getServerSideProps of the file apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx of the component Generic React API . This manipulation of the argument cancelledBy/rescheduledBy causes information disclosure. This vulnerability is handled as CVE-2026-9349 . The attack can be initiated remotely. Additionally, an exploit exists. The vendor was