CVE-2026-33635

Name of the Vulnerable Software and Affected Versions icalendar (affected versions not specified)

Description The software does not properly sanitize URI property values during .ics serialization, leading to ICS injection. This allows attackers to inject arbitrary calendar lines through controlled input. Specifically, the Icalendar::Values::Uri class fails to properly handle or escape carriage return (r) and line feed ( ) characters within URI values. When URI.parse fails, the raw input string is used and serialized without removing or escaping these characters, potentially terminating the original property and creating new ICS properties or components. Affected properties include url, source, image, organizer, attach, attendee, conference, and tzurl. This can result in downstream calendar clients processing attacker-supplied content as legitimate event data, such as added attendees or modified URLs.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.