Description
iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output. `Icalendar::Values::Uri` falls back to the raw input string when `URI.parse` fails and later serializes it with `value.to_s` without removing or escaping `\r` or `\n` characters. That value is embedded directly into the final ICS line by the normal serializer, so a payload containing CRLF can terminate the original property and create a new ICS property or component. (It looks like you can inject via url, source, image, organizer, attach, attendee, conference, tzurl because of this). Applications that generate `.ics` files from partially untrusted metadata are impacted. As a result, downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, such as added attendees, modified URLs, alarms, or other calendar fields. Version 2.12.2 contains a patch for the issue.
Published: 2026-03-26
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: Insecure calendar injection may allow tampering with event data.
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in the iCalendar Ruby library. Unsanitized URI property values allow injection of CRLF characters into the serialized .ics output. An attacker can embed malicious calendar lines, causing downstream clients to process unwanted event components such as additional attendees or alarms.

Affected Systems

Affected systems include any application that uses the iCalendar gem version 2.0.0 up to 2.12.2, especially those that generate .ics files from untrusted metadata.

Risk and Exploitability

The CVSS base score is 4.3, indicating moderate risk. Because the attack requires crafting a malicious iCalendar file and the victim must import or parse it, the likelihood of exploitation is moderate. The vulnerability is not listed in the KEV catalog. Deploying the patched version of the gem mitigates the risk entirely.

Generated by OpenCVE AI on March 26, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the iCalendar gem to version 2.12.2 or newer.
  • Validate or escape URI property values before passing them to the library if an upgrade is not immediately possible.
  • Ensure that only trusted, sanitized metadata is used to generate calendar files.
  • Monitor application logs for unexpected calendar events or changes.

Generated by OpenCVE AI on March 26, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pv9c-9mfh-hvxq iCalendar has ICS injection via unsanitized URI property values
History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Icalendar
Icalendar icalendar
Vendors & Products Icalendar
Icalendar icalendar

Thu, 26 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output. `Icalendar::Values::Uri` falls back to the raw input string when `URI.parse` fails and later serializes it with `value.to_s` without removing or escaping `\r` or `\n` characters. That value is embedded directly into the final ICS line by the normal serializer, so a payload containing CRLF can terminate the original property and create a new ICS property or component. (It looks like you can inject via url, source, image, organizer, attach, attendee, conference, tzurl because of this). Applications that generate `.ics` files from partially untrusted metadata are impacted. As a result, downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, such as added attendees, modified URLs, alarms, or other calendar fields. Version 2.12.2 contains a patch for the issue.
Title iCalendar has ICS injection via unsanitized URI property values
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Icalendar Icalendar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T20:30:43.696Z

Reserved: 2026-03-23T14:24:11.619Z

Link: CVE-2026-33635

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T21:17:07.287

Modified: 2026-03-26T21:17:07.287

Link: CVE-2026-33635

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:23:32Z

Weaknesses