EXECUTIVE SUMMARY:
CVE-2026-33635 with a CVSS score of 4.3 is a vulnerability in the iCalendar serialization functionality of the iCalendar library, which allows an attacker to inject arbitrary calendar lines into the output through unsanitized URI property values. This occurs when the ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input. Specifically, the Icalendar::Values::Uri class fails to remove or escape CRLF characters, allowing an attacker to terminate the original property and create a new ICS property or component. An attacker can exploit this vulnerability by submitting a malicious URI property value, such as an email address with embedded CRLF characters, to an application that generates .ics files from partially untrusted metadata. This would allow the attacker to inject arbitrary calendar lines into the output, potentially adding attendees, modifying URLs, or creating alarms. The business impact of this vulnerability is significant, as downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, leading to potential security risks and disruptions. Prerequisites for exploitation include access to an application generating ics files from partially untrusted metadata, and the ability to submit malicious input through the affected URI property values.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-33635 with a CVSS score of 4.3 is a vulnerability in the iCalendar serialization functionality of the iCalendar library, which allows an attacker to inject arbitrary calendar lines into the output through unsanitized URI property values. This occurs when the ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input. Specifically, the Icalendar::Values::Uri class fails to remove or escape CRLF characters, allowing an attacker to terminate the original property and create a new ICS property or component. An attacker can exploit this vulnerability by submitting a malicious URI property value, such as an email address with embedded CRLF characters, to an application that generates .ics files from partially untrusted metadata. This would allow the attacker to inject arbitrary calendar lines into the output, potentially adding attendees, modifying URLs, or creating alarms. The business impact of this vulnerability is significant, as downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, leading to potential security risks and disruptions. Prerequisites for exploitation include access to an application generating ics files from partially untrusted metadata, and the ability to submit malicious input through the affected URI property values.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update iCalendar to version 2.12.2.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-pv9c-9mfh-hvxq