Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar file via the ICS helper class. ICS::escape_string() (objects/ICS.php:167-169) only escapes , and ; and does NOT neutralize CR/LF, so attacker CRLF bytes inside a property value break out and inject arbitrary ICS lines — including END:VEVENT / BEGIN:VEVENT pairs that add entire attacker-controlled calendar events. Because the malicious .ics file is served from the victim's trusted AVideo origin, this enables high-credibility calendar phishing: forged meetings with attacker-chosen SUMMARY, URL, LOCATION, and DESCRIPTION landing in the victim's calendar after import. Commit 764db592f99e545aa86bb9a4ad664ffd14c38ba5 contains an updated fix.
Published: 2026-05-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated input to the Scheduler/downloadICS.php endpoint is concatenated into an ics file without adequate escaping. The escape routine only neutralizes commas and semicolons, leaving carriage‑return and line‑feed bytes risky. An attacker can embed CRLF sequences that terminate a property value and inject entirely new ics lines, including BEGIN:VEVENT and END:VEVENT pairs. The resulting malicious ics file can be served from the trusted AVideo origin, allowing an attacker to insert forged calendar events that appear legitimate to the victim, potentially causing the victim to accept phishing invitations or schedule unintended meetings.

Affected Systems

The vulnerability afflicts WWBN AVideo versions up to and including 29.0. The affected component is the Scheduler plugin, specifically the downloadICS.php script that invokes Scheduler::downloadICS() and the underlying ics helper’s escape routine.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity; however, the vulnerability permits an attacker to create high‑credibility calendar events that the victim may accept after import, representing a targeted social‑engineering risk. The EPSS score is not available, and the entry is not listed in CISA’s KEV catalog, suggesting limited evidence of exploitation yet. The attack vector is inferred to be via a direct HTTP request to a publicly exposed endpoint, using crafted query parameters to inject malicious CRLF sequences.

Generated by OpenCVE AI on May 11, 2026 at 22:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch that updates the escape routine – commit 764db592f99e545aa86bb9a4ad664ffd14c38ba5 – or upgrade to any AVideo release newer than 29.0 that incorporates this fix.
  • Disable or secure the Scheduler/downloadICS.php endpoint by requiring authentication or removing it from the production environment until a patch is applied.
  • Verify that the calendar export feature no longer accepts unauthenticated requests, and enforce strict input validation that rejects embedded CR/LF characters before constructing ics files.

Generated by OpenCVE AI on May 11, 2026 at 22:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mwgh-92m2-wvhv AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing
History

Mon, 11 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 11 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar file via the ICS helper class. ICS::escape_string() (objects/ICS.php:167-169) only escapes , and ; and does NOT neutralize CR/LF, so attacker CRLF bytes inside a property value break out and inject arbitrary ICS lines — including END:VEVENT / BEGIN:VEVENT pairs that add entire attacker-controlled calendar events. Because the malicious .ics file is served from the victim's trusted AVideo origin, this enables high-credibility calendar phishing: forged meetings with attacker-chosen SUMMARY, URL, LOCATION, and DESCRIPTION landing in the victim's calendar after import. Commit 764db592f99e545aa86bb9a4ad664ffd14c38ba5 contains an updated fix.
Title WWBN AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T20:40:53.428Z

Reserved: 2026-05-04T15:17:09.329Z

Link: CVE-2026-43882

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-11T22:22:12.803

Modified: 2026-05-12T15:13:21.560

Link: CVE-2026-43882

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:00:19Z

Weaknesses