Miaulalala

**Name of the Vulnerable Software and Affected Versions** Nextcloud Calendar versions prior to 3.2.2 **Description** The issue concerns SMTP Command Injection in appointment emails. It occurs because newlines and special characters in the email value within the JSON request are not sanitized. This allows a malicious attacker to inject newlines, breaking out of the `RCPT TO:<BOOKING USER'S EMAIL>` SMTP command and enabling the injection of arbitrary SMTP commands. **Recommendations** For versions prior to 3.2.2, upgrade to version 3.2.2 to resolve the issue. At the moment, there are no workarounds available for this issue.