{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33635", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T14:24:11.619Z", "datePublished": "2026-03-26T20:30:43.696Z", "dateUpdated": "2026-03-30T11:33:48.950Z"}, "containers": {"cna": {"title": "iCalendar has ICS injection via unsanitized URI property values", "problemTypes": [{"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq"}, {"name": "https://github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265", "tags": ["x_refsource_MISC"], "url": "https://github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265"}, {"name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/icalendar/CVE-2026-33635.yml", "tags": ["x_refsource_MISC"], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/icalendar/CVE-2026-33635.yml"}], "affected": [{"vendor": "icalendar", "product": "icalendar", "versions": [{"version": ">= 2.0.0, < 2.12.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:30:43.696Z"}, "descriptions": [{"lang": "en", "value": "iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output. `Icalendar::Values::Uri` falls back to the raw input string when `URI.parse` fails and later serializes it with `value.to_s` without removing or escaping `\\r` or `\\n` characters. That value is embedded directly into the final ICS line by the normal serializer, so a payload containing CRLF can terminate the original property and create a new ICS property or component. (It looks like you can inject via url, source, image, organizer, attach, attendee, conference, tzurl because of this). Applications that generate `.ics` files from partially untrusted metadata are impacted. As a result, downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, such as added attendees, modified URLs, alarms, or other calendar fields. Version 2.12.2 contains a patch for the issue."}], "source": {"advisory": "GHSA-pv9c-9mfh-hvxq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T11:33:37.244425Z", "id": "CVE-2026-33635", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:33:48.950Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33635", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T11:33:37.244425Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:33:45.440Z"}}], "cna": {"title": "iCalendar has ICS injection via unsanitized URI property values", "source": {"advisory": "GHSA-pv9c-9mfh-hvxq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "icalendar", "product": "icalendar", "versions": [{"status": "affected", "version": ">= 2.0.0, < 2.12.2"}]}], "references": [{"url": "https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq", "name": "https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265", "name": "https://github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/icalendar/CVE-2026-33635.yml", "name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/icalendar/CVE-2026-33635.yml", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output. `Icalendar::Values::Uri` falls back to the raw input string when `URI.parse` fails and later serializes it with `value.to_s` without removing or escaping `\\r` or `\\n` characters. That value is embedded directly into the final ICS line by the normal serializer, so a payload containing CRLF can terminate the original property and create a new ICS property or component. (It looks like you can inject via url, source, image, organizer, attach, attendee, conference, tzurl because of this). Applications that generate `.ics` files from partially untrusted metadata are impacted. As a result, downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, such as added attendees, modified URLs, alarms, or other calendar fields. Version 2.12.2 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:30:43.696Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33635", "state": "PUBLISHED", "dateUpdated": "2026-03-30T11:33:48.950Z", "dateReserved": "2026-03-23T14:24:11.619Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T20:30:43.696Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:icalendar_project:icalendar:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "3BBE7B6B-857A-41B0-A38E-7FA77FDB1497", "versionEndExcluding": "2.12.2", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output. `Icalendar::Values::Uri` falls back to the raw input string when `URI.parse` fails and later serializes it with `value.to_s` without removing or escaping `\\r` or `\\n` characters. That value is embedded directly into the final ICS line by the normal serializer, so a payload containing CRLF can terminate the original property and create a new ICS property or component. (It looks like you can inject via url, source, image, organizer, attach, attendee, conference, tzurl because of this). Applications that generate `.ics` files from partially untrusted metadata are impacted. As a result, downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, such as added attendees, modified URLs, alarms, or other calendar fields. Version 2.12.2 contains a patch for the issue."}, {"lang": "es", "value": "iCalendar es una biblioteca de Ruby dise\u00f1ada para gestionar archivos iCalendar en el formato definido por el RFC-5545. Desde la versi\u00f3n 2.0.0 hasta la versi\u00f3n 2.12.2, la serializaci\u00f3n de archivos .ics no depura correctamente los valores de las propiedades URI, lo que permite la inyecci\u00f3n ICS a trav\u00e9s de entradas controladas por un atacante, a\u00f1adiendo entradas de calendario arbitrarias a la salida. `Icalendar::Values::Uri` recurre a la cadena de entrada sin procesar cuando `URI.parse` falla y posteriormente la serializa con `value.to_s` sin eliminar ni escapar los caracteres \\r o \\n. Ese valor se incrusta directamente en la l\u00ednea ICS final mediante el serializador normal, por lo que una carga \u00fatil que contenga CRLF puede terminar la propiedad original y crear una nueva propiedad o componente ICS. (Parece que, debido a esto, se puede inyectar a trav\u00e9s de url, source, image, organizer, attach, attendee, conference y tzurl). Las aplicaciones que generan archivos `.ics` a partir de metadatos parcialmente no fiables se ven afectadas. Como resultado, los clientes de calendario o importadores posteriores pueden procesar el contenido proporcionado por el atacante como si se tratara de datos de eventos leg\u00edtimos, tales como asistentes a\u00f1adidos, URL modificadas, alarmas u otros campos del calendario. La versi\u00f3n 2.12.2 contiene un parche para este problema."}], "id": "CVE-2026-33635", "lastModified": "2026-04-10T15:49:23.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T21:17:07.287", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/icalendar/CVE-2026-33635.yml"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.12.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "icalendar", "vendor": "icalendar"}], "analysis": {"en": {"generated_at": "2026-04-10T17:56:11.991237+00:00", "value": {"mitigation_remediation": ["Update the icalendar gem to version 2.12.2 or later."], "summary": {"action": "Apply patch", "impact": "Unauthorized calendar content injection"}, "threat_synthesis": {"affected_systems": "vulnerable versions of the icalendar gem range from 2.0.0 up to, but not including, 2.12.2. Any Ruby application that employs these versions to generate iCalendar files from partially untrusted input is impacted.", "description_and_impact": "The icalendar Ruby library incorrectly serializes URI property values in .ics files, allowing an attacker to insert carriage\u2011return line\u2011feed characters that terminate the original property and inject new calendar lines. This can result in the addition of arbitrary attendees, modified URLs, alarms, or other calendar fields without the victim\u2019s knowledge. The weakness is a classic input validation failure (CWE\u201193).", "risk_and_exploitability": "The CVSS score is 4.3, indicating a moderate severity. The EPSS score is below 1%, suggesting a low likelihood of exploitation, and the issue is not listed in the CISA KEV catalog. The most probable attack path involves an application that accepts user\u2011supplied data, feeds it to icalendar for .ics generation, and then distributes or imports the file in other calendar clients. If successful, the attacker can alter event data but does not obtain arbitrary code execution."}}}}, "created": "2026-03-27T08:32:04.323068+00:00", "updated": "2026-04-13T14:28:19.675481+00:00", "vendors": ["icalendar", "icalendar$PRODUCT$icalendar"]}