Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2026-May-13
Vulnerability:
Information disclosure
Affected versions:
<4.0.15
CVE IDs:
CVE-2026-8495
Description:
This module enables you to export entity date fields as iCal feeds.
The module doesn't sufficiently check entity or field access or sanitize user inputs when generating iCal feeds.
This vulnerability is not mitigated by any permission, the routes are accessible to all anonymous users with no configuration required.
Solution:
Install the latest version:
- If you use the Date iCal module for Drupal 10/11, upgrade to Date iCal 4.0.15
Reported By:
- Drew Webber (mcdruid) of the Drupal Security Team
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
