Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-t2g3-d1e3-5yg4
Vulnerability ID VCID-t2g3-d1e3-5yg4
Aliases CVE-2026-33635
GHSA-pv9c-9mfh-hvxq
Summary iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output. `Icalendar::Values::Uri` falls back to the raw input string when `URI.parse` fails and later serializes it with `value.to_s` without removing or escaping `\r` or `\n` characters. That value is embedded directly into the final ICS line by the normal serializer, so a payload containing CRLF can terminate the original property and create a new ICS property or component. (It looks like you can inject via url, source, image, organizer, attach, attendee, conference, tzurl because of this). Applications that generate `.ics` files from partially untrusted metadata are impacted. As a result, downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, such as added attendees, modified URLs, alarms, or other calendar fields. Version 2.12.2 contains a patch for the issue.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2026-33635
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2026-33635
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2026-33635
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2026-33635
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-pv9c-9mfh-hvxq
cvssv3.1 4.3 https://github.com/icalendar/icalendar
generic_textual MODERATE https://github.com/icalendar/icalendar
cvssv3.1 4.3 https://github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265
generic_textual MODERATE https://github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265
ssvc Track https://github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265
cvssv3 4.3 https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq
cvssv3.1 4.3 https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq
cvssv3.1_qr MODERATE https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq
generic_textual MODERATE https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq
ssvc Track https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq
cvssv3.1 4.3 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/icalendar/CVE-2026-33635.yml
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/icalendar/CVE-2026-33635.yml
ssvc Track https://github.com/rubysec/ruby-advisory-db/blob/master/gems/icalendar/CVE-2026-33635.yml
cvssv3.1 4.3 https://nvd.nist.gov/vuln/detail/CVE-2026-33635
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-33635
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-33635
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33635
https://github.com/icalendar/icalendar
https://nvd.nist.gov/vuln/detail/CVE-2026-33635
b8d23b490363ee5fffaec1d269a8618a912ca265 https://github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265
CVE-2026-33635.yml https://github.com/rubysec/ruby-advisory-db/blob/master/gems/icalendar/CVE-2026-33635.yml
GHSA-pv9c-9mfh-hvxq https://github.com/advisories/GHSA-pv9c-9mfh-hvxq
GHSA-pv9c-9mfh-hvxq https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Found at https://github.com/icalendar/icalendar
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Found at https://github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:33:37Z/ Found at https://github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Found at https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:33:37Z/ Found at https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/icalendar/CVE-2026-33635.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:33:37Z/ Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/icalendar/CVE-2026-33635.yml
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-33635
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.16032
EPSS Score 0.0005
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:49:35.547332+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/33xxx/CVE-2026-33635.json 38.6.0