CVE-2026-8495PATCHED

drupal · date_ical

Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037

Description

Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing. This issue affects Date iCal: from 0.0.0 before 4.0.15.

Affected Products

Vendor	Product	Versions
drupal	date_ical	0.0.0

References

https://www.drupal.org/sa-contrib-2026-037

Related News (2 articles)

Tier C

VulDB6d ago

CVE-2026-8495 | Date iCal up to 4.0.14 on Drupal authorization (sa-contrib-2026-037)

→ No new info (linked only)

Tier B

CCCS Canada13d ago

Drupal security advisory (AV26-463)

→ No new info (linked only)

CVSS 3.19.8 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

4.0.15

CWECWE-862

PublishedMay 19, 2026

Last enriched6d agov2

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-9082EXPKEV

Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Trending: 157

MEDIUMCVE-2026-6367EXP

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003

Trending: 24

NONECVE-2026-4929EXP

Simple Hierarchical Select (Drupal 7) XSS in term-derived output

Trending: 23

NONECVE-2026-4093EXP

Stored XSS in Drupal 7 Term Reference Tree module (token display templates and term labels)

Trending: 19

MEDIUMCVE-2026-6366EXP

Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002

Trending: 18

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 19, 2026

Discovered by ZDM

May 19, 2026

Updated: description, severity

May 20, 2026

Patch Available

May 20, 2026

Version History

Last enriched 6d ago

v2Tier C6d ago

Updated description with more technical detail, changed severity to HIGH, and noted that no exploit is available.

descriptionseverity

via VulDB

v16d ago

Initial creation