CVE-2026-8495

CVE-2026-8495: Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037

Vendor Drupal

Product Date iCal

Weakness CWE-862 · Missing authorization

Published May 19, 2026

Last update May 20, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing. This issue affects Date iCal: from 0.0.0 before 4.0.15.

Explanation of Vulnerability in Simple Terms

02Summary

The Date iCal module for Drupal does not properly check user permissions before allowing access to certain operations. An attacker with insufficient privileges can perform actions they should not be able to, such as viewing or modifying calendar data. Update to version 4.0.15 or later to fix this vulnerability.

What an attacker can do

03Attacker Capabilities

Perform calendar operations without proper authorization.

Potential impact on your site

04Site Impact

Unauthorized users may view, modify, or delete calendar data depending on the module's functionality.

Conditions required to exploit

05Prerequisites

Access to the Drupal site; specific privilege level unknown due to missing CVSS data.

Key dates

06Disclosure timeline

May 19, 2026 CVE published

May 20, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-8495 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities