Lucene search
K

3 matches found

Vulnrichment
Vulnrichment
added 2026/05/11 8:40 p.m.8 views

CVE-2026-43882 WWBN AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing

WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS, which builds an ICS calendar file via the ICS helper...

4.3CVSS5.9AI score0.0018EPSS
Exploits0References2
OSV
OSV
added 2026/05/05 10:14 p.m.7 views

GHSA-MWGH-92M2-WVHV AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing

Summary The unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS, which builds an ICS calendar file via the ICS helper class. ICS::escapestring objects/ICS.php:167-169 only escapes , and ; and...

4.3CVSS6AI score0.0018EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/05 10:14 p.m.11 views

AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing

Summary The unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS, which builds an ICS calendar file via the ICS helper class. ICS::escapestring objects/ICS.php:167-169 only escapes , and ; and...

4.3CVSS6AI score0.0018EPSS
Exploits0References4Affected Software1
Rows per page
Query Builder