VIR Vulnerability Intelligence Relay

CVE-2026-8495

critical
Published 2026-05-19 · Modified 2026-05-13
CVSS v3
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2
VIR risk
9.8

Description

This module enables you to export entity date fields as iCal feeds. The module doesn't sufficiently check entity or field access or sanitize user inputs when generating iCal feeds. This vulnerability is not mitigated by any permission, the routes are accessible to all anonymous users with no configuration required.

Predictions

Exploit likelihood
97%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

Package impact
EcosystemPackageVulnerableFixed
Packagist:https://packages.drupal.org/8drupal/date_ical<4.0.154.0.15

Application impact
VendorProductVersionsFixed
date_ical_projectdate_ical{"endExcluding":"4.0.15"}4.0.15

References

CWEs

CWE-862

Verify integrity in audit chain (admin only). AS-IS.