Vulnerability-Lookup

Vulnerability from drupal

Published

2026-05-13 17:19

Modified

2026-05-13 17:19

Summary

Details

This module enables you to export entity date fields as iCal feeds.

The module doesn't sufficiently check entity or field access or sanitize user inputs when generating iCal feeds.

This vulnerability is not mitigated by any permission, the routes are accessible to all anonymous users with no configuration required.

Credits

Drew Webber (mcdruid) www.drupal.org/u/mcdruid

References

URL

Type

https://www.drupal.org/sa-contrib-2026-037

WEB

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c4.0.15"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/date_ical"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c4.0.15"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [
    "CVE-2026-8495"
  ],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/u/mcdruid"
      ],
      "name": "Drew Webber (mcdruid)"
    }
  ],
  "details": "This module enables you to export entity date fields as iCal feeds.\n\nThe module doesn\u0027t sufficiently check entity or field access or sanitize user inputs when generating iCal feeds.\n\nThis vulnerability is not mitigated by any permission, the routes are accessible to all anonymous users with no configuration required.",
  "id": "DRUPAL-CONTRIB-2026-037",
  "modified": "2026-05-13T17:19:25.000Z",
  "published": "2026-05-13T17:19:25.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2026-037"
    }
  ],
  "schema_version": "1.7.0"
}

CVE-2026-8495 (GCVE-0-2026-8495)

Vulnerability from cvelistv5 – Published: 2026-05-19 22:29 – Updated: 2026-05-20 16:35

Title

Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037

Summary

Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing. This issue affects Date iCal: from 0.0.0 before 4.0.15.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-862 - Missing Authorization

Assigner

drupal

References

1 reference

URL	Tags
https://www.drupal.org/sa-contrib-2026-037

Impacted products

1 product

Vendor	Product	Version
Drupal	Date iCal	Affected: 0.0.0 , < 4.0.15 (semver)

Date Public

2026-05-13 17:19

Credits

Drew Webber (mcdruid) JoÃ«l Pittet (joelpittet) Greg Knaddison (greggles) Dave Long (longwave) Juraj Nemec (poker10) Drew Webber (mcdruid)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-8495",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-20T15:52:33.388595Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-20T16:35:44.458Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/date_ical",
          "defaultStatus": "unaffected",
          "product": "Date iCal",
          "repo": "https://git.drupalcode.org/project/date_ical",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "4.0.15",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Drew Webber (mcdruid)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jo\u00c3\u00abl Pittet (joelpittet)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Greg Knaddison (greggles)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Dave Long (longwave)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Juraj Nemec (poker10)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Drew Webber (mcdruid)"
        }
      ],
      "datePublic": "2026-05-13T17:19:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing.\u003cp\u003eThis issue affects Date iCal: from 0.0.0 before 4.0.15.\u003c/p\u003e"
            }
          ],
          "value": "Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing.\n\nThis issue affects Date iCal: from 0.0.0 before 4.0.15."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-87",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-87 Forceful Browsing"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-19T22:29:50.850Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-contrib-2026-037"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2026-8495",
    "datePublished": "2026-05-19T22:29:50.850Z",
    "dateReserved": "2026-05-13T16:55:31.986Z",
    "dateUpdated": "2026-05-20T16:35:44.458Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from drupal

CVE-2026-8495 (GCVE-0-2026-8495)

Tags

Sightings

Nomenclature