Skip to main content

icalendar CVE-2026-55099

CRITICAL
2026-06-23
Share

Severity by source

vuln.today AI
7.5 HIGH

Network-reachable parser, no authentication or interaction needed; sole impact is availability loss consistent with the stated 7.5 score.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Lifecycle Timeline

1
Analysis Generated
Jun 23, 2026 - 20:15 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Denial of Service in the collective/icalendar Python library allows attackers to crash or hang applications that process externally supplied iCalendar data. The vulnerability carries a CVSS score of 7.5 High and affects Plone CMS deployments as well as any Python application using the library to parse .ics input. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate iCalendar import endpoint
Delivery
Craft malicious .ics payload
Exploit
Submit payload to parser
Execution
Trigger resource exhaustion
Persist
Application process crashes or hangs
Impact
Denial of service achieved

Vulnerability AssessmentAI

Exploitation The application must be processing externally supplied or attacker-controlled iCalendar (.ics) data using the collective/icalendar Python library. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The reported severity of 7.5 High is consistent with unauthenticated network exploitation leading to complete availability loss, but no CVSS vector was provided in the input - this assessment is inferred. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a specially crafted .ics file - for example, through a Plone site's iCalendar import feature or any public-facing endpoint backed by the collective/icalendar library - that triggers excessive resource consumption during parsing. Repeated or concurrent submissions exhaust server memory or CPU, causing the application process to become unresponsive or crash. …
Remediation The primary fix is to upgrade the collective/icalendar library to the patched version specified in the advisory at https://github.com/collective/icalendar/security/advisories/GHSA-cv84-9p8j-fj68 - the exact fix version was not confirmed in the provided input data and should be verified there directly before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Complete inventory of all systems and applications using collective/icalendar library, determine current versions, and identify sources of external iCalendar input. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55099 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy