CVE & CISA-KEV Catalog

CVE-2026-33635

MEDIUM
4.3
CVSS v3
NVD

Description

iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output. `Icalendar::Values::Uri` falls back to the raw input string when `URI.parse` fails and later serializes it with `value.to_s` without removing or escaping `\r` or `\n` characters. That value is embedded directly into the final ICS line by the normal serializer, so a payload containing CRLF can terminate the original property and create a new ICS property or component. (It looks like you can inject via url, source, image, organizer, attach, attendee, conference, tzurl because of this). Applications that generate `.ics` files from partially untrusted metadata are impacted. As a result, downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, such as added attendees, modified URLs, alarms, or other calendar fields. Version 2.12.2 contains a patch for the issue.

How to fix

Remediation Available
icalendarNVD
Affected:>= 2.0.0, < 2.12.2Fixed in:2.12.2CVE-2026-33635derived from NVD

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged

Impact

ConfidentialityNone
IntegrityLow
AvailabilityNone

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Exploit Intelligence

0.24%probability of exploitation in 30 days
16thpercentile

Low risk: more likely to be exploited than 16% of all known CVEs.

References

Exploit1
Vendor Advisory1

Related Vulnerabilities

Other CWE-93 vulnerabilities, ordered by exploit likelihood. View all

CVESeverityCVSSEPSSExploitedFix
CVE-2025-61884High7.598%KEV + Ransom-
CVE-2022-0666High7.544%-Fix
CVE-2016-3115Medium6.437%-Fix
CVE-2024-20337High8.230%-Fix
CVE-2021-39172High8.829%-Fix
CVE-2016-4975Medium6.120%-Fix
Embed a live status badge for CVE-2026-33635
CVE-2026-33635 severity badge

Markdown

[![CVE-2026-33635](https://tridentstack.com/cve/badge/CVE-2026-33635.svg)](https://tridentstack.com/cve/CVE-2026-33635)

HTML

<a href="https://tridentstack.com/cve/CVE-2026-33635"><img src="https://tridentstack.com/cve/badge/CVE-2026-33635.svg" alt="CVE-2026-33635"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-04-10.