VulnerableCode Package Details - pkg:gem/icalendar@2.12.2

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-ge52-te2z-17gn	iCalendar has ICS injection via unsanitized URI property values ### Summary .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output. ### Details `Icalendar::Values::Uri` falls back to the raw input string when `URI.parse` fails and later serializes it with `value.to_s` without removing or escaping `\r` or `\n` characters. That value is embedded directly into the final ICS line by the normal serializer, so a payload containing CRLF can terminate the original property and create a new ICS property or component. (It looks like you can inject via url, source, image, organizer, attach, attendee, conference, tzurl because of this) Relevant code: - `lib/icalendar/values/uri.rb:16` ### Impact Applications that generate `.ics` files from partially untrusted metadata are impacted. As a result, downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, such as added attendees, modified URLs, alarms, or other calendar fields. ## Fix Reject raw CR and LF characters in `URI`-typed values before serialization, or escape/encode them so they cannot terminate the current ICS content line.	CVE-2026-33635 GHSA-pv9c-9mfh-hvxq

Vulnerability

Summary

Aliases

VCID-ge52-te2z-17gn

iCalendar has ICS injection via unsanitized URI property values ### Summary .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output. ### Details `Icalendar::Values::Uri` falls back to the raw input string when `URI.parse` fails and later serializes it with `value.to_s` without removing or escaping `\r` or `\n` characters. That value is embedded directly into the final ICS line by the normal serializer, so a payload containing CRLF can terminate the original property and create a new ICS property or component. (It looks like you can inject via url, source, image, organizer, attach, attendee, conference, tzurl because of this) Relevant code: - `lib/icalendar/values/uri.rb:16` ### Impact Applications that generate `.ics` files from partially untrusted metadata are impacted. As a result, downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, such as added attendees, modified URLs, alarms, or other calendar fields. ## Fix Reject raw CR and LF characters in `URI`-typed values before serialization, or escape/encode them so they cannot terminate the current ICS content line.

CVE-2026-33635
GHSA-pv9c-9mfh-hvxq

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-07T20:52:11.807984+00:00	GHSA Importer	Fixing	VCID-ge52-te2z-17gn	https://github.com/advisories/GHSA-pv9c-9mfh-hvxq	38.6.0
2026-06-06T07:33:48.817826+00:00	GitLab Importer	Fixing	VCID-ge52-te2z-17gn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/icalendar/CVE-2026-33635.yml	38.6.0
2026-06-04T16:58:07.466990+00:00	GithubOSV Importer	Fixing	VCID-ge52-te2z-17gn	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-pv9c-9mfh-hvxq/GHSA-pv9c-9mfh-hvxq.json	38.6.0