iCalendar has ICS injection via unsanitized URI property values
.ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output.
Advisories for Gem/Icalendar package
2026