CVE-2026-43882

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.0

Description The unauthenticated 'plugin/Scheduler/downloadICS.php' endpoint passes attacker-controlled title, description, and joinURL parameters into the Scheduler::downloadICS() function, which utilizes the ICS helper class to build an ICS calendar file. The ICS::escape string() function fails to neutralize Carriage Return (CR) and Line Feed (LF) characters. This allows an attacker to inject arbitrary ICS lines, including END:VEVENT and BEGIN:VEVENT pairs, to add unauthorized calendar events. Since the malicious .ics file is served from the trusted AVideo origin, it enables high-credibility calendar phishing where forged meetings with attacker-chosen SUMMARY, URL, LOCATION, and DESCRIPTION are added to the victim's calendar upon import.

Recommendations Update to a version that includes commit 764db592f99e545aa86bb9a4ad664ffd14c38ba5. As a temporary workaround, restrict access to the 'plugin/Scheduler/downloadICS.php' endpoint or disable the Scheduler plugin.