Thanks to the security researchers at for responsible disclosure and communication concerning this issue.

Security Issue Addressed

Prior versions of My Calendar 3.4 contained an unauthenticated SQL (Structured Query Language (a database standard)) injection vulnerability. has assessed this issue with a CVE score of 8.6. This is a severe security issue, so please update My Calendar as soon as possible.

Read the published security advisory from

There are no changes between 3.4.21 and 3.4.22 other than this security fix.

This issue impacts My Calendar versions below version 3.4 only if you have enabled the external API (Application Programming Interface) endpoints, which are not enabled by default. If you are still using an earlier version of My Calendar and are unable to upgrade, you should verify that this option is disabled at My Calendar > Settings > “Enable external API”.

Update Dec. 1st 2023

Note: The original version of this post cited a CVE score of 9.8, but the vulnerability was downgraded to 8.6 in the published advisory.