VulnerableCode Package Details - pkg:gem/icalendar@2.10.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-t2g3-d1e3-5yg4 Aliases: CVE-2026-33635 GHSA-pv9c-9mfh-hvxq	iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output. `Icalendar::Values::Uri` falls back to the raw input string when `URI.parse` fails and later serializes it with `value.to_s` without removing or escaping `\r` or `\n` characters. That value is embedded directly into the final ICS line by the normal serializer, so a payload containing CRLF can terminate the original property and create a new ICS property or component. (It looks like you can inject via url, source, image, organizer, attach, attendee, conference, tzurl because of this). Applications that generate `.ics` files from partially untrusted metadata are impacted. As a result, downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, such as added attendees, modified URLs, alarms, or other calendar fields. Version 2.12.2 contains a patch for the issue.	2.12.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-t2g3-d1e3-5yg4
Aliases:
CVE-2026-33635
GHSA-pv9c-9mfh-hvxq

iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output. `Icalendar::Values::Uri` falls back to the raw input string when `URI.parse` fails and later serializes it with `value.to_s` without removing or escaping `\r` or `\n` characters. That value is embedded directly into the final ICS line by the normal serializer, so a payload containing CRLF can terminate the original property and create a new ICS property or component. (It looks like you can inject via url, source, image, organizer, attach, attendee, conference, tzurl because of this). Applications that generate `.ics` files from partially untrusted metadata are impacted. As a result, downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, such as added attendees, modified URLs, alarms, or other calendar fields. Version 2.12.2 contains a patch for the issue.

2.12.2
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T09:28:19.684440+00:00	Ruby Importer	Affected by	VCID-t2g3-d1e3-5yg4	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/icalendar/CVE-2026-33635.yml	38.6.0
2026-06-12T21:35:40.693172+00:00	GitLab Importer	Affected by	VCID-t2g3-d1e3-5yg4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/icalendar/CVE-2026-33635.yml	38.6.0

2026-06-13T09:28:19.684440+00:00

Ruby Importer

Affected by

VCID-t2g3-d1e3-5yg4

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/icalendar/CVE-2026-33635.yml

38.6.0

2026-06-12T21:35:40.693172+00:00

GitLab Importer

Affected by

VCID-t2g3-d1e3-5yg4

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/icalendar/CVE-2026-33635.yml

38.6.0

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	3.1