cvedb.io
CVE-2026-33635
MEDIUM · CVSS 4.3
EPSS exploitation probability: 0%
Published 2026-03-26T21:17:07.287 · Last modified 2026-06-17T10:37:49.343

Summary

iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output. `Icalendar::Values::Uri` falls back to the raw input string when `URI.parse` fails and later serializes it with `value.to_s` without removing or escaping `\r` or `\n` characters. That value is embedded directly into the final ICS line by the normal serializer, so a payload containing CRLF can terminate the original property and create a new ICS property or component. (It looks like you can inject via url, source, image, organizer, attach, attendee, conference, tz

Affected products

icalendar_project — icalendar

Does this affect you?

Add your gear to cvedb and we'll alert you only when icalendar_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.