Description
iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output. `Icalendar::Values::Uri` falls back to the raw input string when `URI.parse` fails and later serializes it with `value.to_s` without removing or escaping `\r` or `\n` characters. That value is embedded directly into the final ICS line by the normal serializer, so a payload containing CRLF can terminate the original property and create a new ICS property or component. (It looks like you can inject via url, source, image, organizer, attach, attendee, conference, tzurl because of this). Applications that generate `.ics` files from partially untrusted metadata are impacted. As a result, downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, such as added attendees, modified URLs, alarms, or other calendar fields. Version 2.12.2 contains a patch for the issue.
Published: 2026-03-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized calendar content injection
Action: Apply patch
AI Analysis

Impact

The icalendar Ruby library incorrectly serializes URI property values in .ics files, allowing an attacker to insert carriage‑return line‑feed characters that terminate the original property and inject new calendar lines. This can result in the addition of arbitrary attendees, modified URLs, alarms, or other calendar fields without the victim’s knowledge. The weakness is a classic input validation failure (CWE‑93).

Affected Systems

vulnerable versions of the icalendar gem range from 2.0.0 up to, but not including, 2.12.2. Any Ruby application that employs these versions to generate iCalendar files from partially untrusted input is impacted.

Risk and Exploitability

The CVSS score is 4.3, indicating a moderate severity. The EPSS score is below 1%, suggesting a low likelihood of exploitation, and the issue is not listed in the CISA KEV catalog. The most probable attack path involves an application that accepts user‑supplied data, feeds it to icalendar for .ics generation, and then distributes or imports the file in other calendar clients. If successful, the attacker can alter event data but does not obtain arbitrary code execution.

Generated by OpenCVE AI on April 10, 2026 at 17:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the icalendar gem to version 2.12.2 or later.

Generated by OpenCVE AI on April 10, 2026 at 17:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pv9c-9mfh-hvxq iCalendar has ICS injection via unsanitized URI property values
History

Fri, 10 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Icalendar Project
Icalendar Project icalendar
CPEs cpe:2.3:a:icalendar_project:icalendar:*:*:*:*:*:ruby:*:*
Vendors & Products Icalendar Project
Icalendar Project icalendar

Mon, 30 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Icalendar
Icalendar icalendar
Vendors & Products Icalendar
Icalendar icalendar

Thu, 26 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output. `Icalendar::Values::Uri` falls back to the raw input string when `URI.parse` fails and later serializes it with `value.to_s` without removing or escaping `\r` or `\n` characters. That value is embedded directly into the final ICS line by the normal serializer, so a payload containing CRLF can terminate the original property and create a new ICS property or component. (It looks like you can inject via url, source, image, organizer, attach, attendee, conference, tzurl because of this). Applications that generate `.ics` files from partially untrusted metadata are impacted. As a result, downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, such as added attendees, modified URLs, alarms, or other calendar fields. Version 2.12.2 contains a patch for the issue.
Title iCalendar has ICS injection via unsanitized URI property values
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Icalendar Icalendar
Icalendar Project Icalendar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T11:33:48.950Z

Reserved: 2026-03-23T14:24:11.619Z

Link: CVE-2026-33635

cve-icon Vulnrichment

Updated: 2026-03-30T11:33:45.440Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T21:17:07.287

Modified: 2026-04-10T15:49:23.240

Link: CVE-2026-33635

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:19Z

Weaknesses