{"id":"DRUPAL-CONTRIB-2026-037","details":"This module enables you to export entity date fields as iCal feeds.\n\nThe module doesn't sufficiently check entity or field access or sanitize user inputs when generating iCal feeds.\n\nThis vulnerability is not mitigated by any permission, the routes are accessible to all anonymous users with no configuration required.","aliases":["CVE-2026-8495"],"modified":"2026-05-13T19:00:15.144188Z","published":"2026-05-13T17:19:25Z","references":[{"type":"WEB","url":"https://www.drupal.org/sa-contrib-2026-037"}],"affected":[{"package":{"name":"drupal/date_ical","ecosystem":"Packagist:https://packages.drupal.org/8","purl":"pkg:composer/drupal/date_ical"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.0.15"}],"database_specific":{"constraint":"\u003c4.0.15"}}],"database_specific":{"source":"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/date_ical/DRUPAL-CONTRIB-2026-037.json","affected_versions":"\u003c4.0.15"}}],"schema_version":"1.7.5","credits":[{"name":"Drew Webber (mcdruid)","contact":["https://www.drupal.org/u/mcdruid"]}]}