CVE-2026-43882
Received Received - Intake
CRLF Injection in AVideo Leading to Calendar Phishing

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar file via the ICS helper class. ICS::escape_string() (objects/ICS.php:167-169) only escapes , and ; and does NOT neutralize CR/LF, so attacker CRLF bytes inside a property value break out and inject arbitrary ICS lines β€” including END:VEVENT / BEGIN:VEVENT pairs that add entire attacker-controlled calendar events. Because the malicious .ics file is served from the victim's trusted AVideo origin, this enables high-credibility calendar phishing: forged meetings with attacker-chosen SUMMARY, URL, LOCATION, and DESCRIPTION landing in the victim's calendar after import. Commit 764db592f99e545aa86bb9a4ad664ffd14c38ba5 contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-05-12
AI Q&A
2026-05-12
EPSS Evaluated
N/A
NVD
CVE-2026-43882
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in WWBN AVideo, an open source video platform, in versions up to and including 29.0. The issue is in the unauthenticated plugin/Scheduler/downloadICS.php endpoint, which accepts attacker-controlled parameters such as title, description, and joinURL. These parameters are passed into the Scheduler::downloadICS() function that builds an ICS calendar file using the ICS helper class.

The ICS::escape_string() function only escapes commas and semicolons but does not neutralize carriage return and line feed (CR/LF) characters. This allows an attacker to inject CRLF bytes inside a property value, breaking out of the intended field and injecting arbitrary ICS lines, including new calendar event blocks (END:VEVENT / BEGIN:VEVENT).

Because the malicious .ics file is served from the victim's trusted AVideo origin, this enables high-credibility calendar phishing attacks where forged meetings with attacker-chosen details like SUMMARY, URL, LOCATION, and DESCRIPTION appear in the victim's calendar after import.


How can this vulnerability impact me? :

This vulnerability can lead to calendar phishing attacks by injecting malicious calendar events into a victim's calendar application. Since the malicious .ics files come from a trusted source (the victim's own AVideo platform), the forged events appear credible and can trick users into attending fake meetings or clicking on malicious URLs.

Such phishing events can be used to deliver social engineering attacks, potentially leading to credential theft, malware installation, or other security breaches.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart