Drupal · Date Ical · CVE-2026-8495
**Name of the Vulnerable Software and Affected Versions**
Date iCal versions 0.0.0 through 4.0.14
**Description**
A missing authorization issue in the Date iCal module, which exports entity date fields as iCal feeds, allows forceful browsing. The module fails to sufficiently check entity or field access and does not properly sanitize user inputs during the generation of iCal feeds. These routes are accessible to all anonymous users without requiring any configuration.
**Recommendations**
Update to version 4.0.15.