Lucene search
K

1932 matches found

RedhatCVE
RedhatCVE
added 2026/05/26 2:12 a.m.10 views

CVE-2023-54348

ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to inject spreadsheet formulas into vendor name fields that execute on the workstation of users who open the exported CSV in a spreadsheet application. Attackers can add malicious formulas like =10+20+cmd|' ...

8.8CVSS5.9AI score0.00352EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/22 9:10 p.m.5 views

CVE-2026-41073

RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet CSV/formula injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can caus...

4.6CVSS5.7AI score0.00166EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/05/22 9:10 p.m.113 views

CVE-2026-41073

CVE-2026-41073 affects RT (open source issue/IT ticket tracker). Versions older than 5.0.10 and 6.0.0–6.0.2 write user-controlled data into spreadsheet exports without sanitization, allowing CSV/formula injection when opened in spreadsheet apps. The underlying issue is that exported outputs may b...

4.6CVSS5.7AI score0.00166EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/05 11:24 a.m.4 views

CVE-2023-54348 ERPGo SaaS 3.9 CSV Injection via Vendor Creation

ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to inject spreadsheet formulas into vendor name fields that execute on the workstation of users who open the exported CSV in a spreadsheet application. Attackers can add malicious formulas like =10+20+cmd|' ...

8.8CVSS5.9AI score0.00352EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/05 12:0 a.m.9 views

Rajodiya ERPGo SaaS 安全漏洞

Rajodiya ERPGo SaaS is an online enterprise resource planning system provided by Rajodiya Corporation. Version 3.9 of Rajodiya ERPGo SaaS contains a security vulnerability. This vulnerability stems from a CSV injection flaw, allowing authenticated attackers to execute arbitrary code by injecting...

8.8CVSS6.2AI score0.00352EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/04/14 12:56 a.m.7 views

CVE-2026-39424 MaxKB has CSV Injection in its Application Chat Export Functionality

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administrator exports the application chat history to an Excel file .xlsx via the...

5.3CVSS5.8AI score0.00368EPSS
Exploits0References3
CVE
CVE
added 2026/04/14 12:56 a.m.32 views

CVE-2026-39424

MaxKB (1Panel-dev) has a CSV-injection vulnerability in the chat export feature for versions 2.7.1 and earlier. When exporting chat history to .xlsx via /admin/api/workspace/{workspace_id}/application/{application_id}/chat/export, strings beginning with formula characters are written without sani...

5.3CVSS5.8AI score0.00368EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/02/03 11:49 a.m.2 views

CSV Injection

Overview moodle/moodle is a learning platform. Affected versions of this package are vulnerable to CSV Injection when exporting data to CSV or Excel. An attacker can execute arbitrary formulas in a spreadsheet application by supplying specially crafted input that is not properly escaped during...

7.8CVSS5.9AI score0.00251EPSS
Exploits0References2
NVD
NVD
added 2026/01/27 4:16 p.m.23 views

CVE-2020-36941

Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in spreadsheet...

9.8CVSS0.00494EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/01/27 3:23 p.m.21 views

CVE-2021-47901 dirsearch 0.4.1 - CSV Injection

Dirsearch 0.4.1 contains a CSV injection vulnerability when using the --csv-report flag that allows attackers to inject formulas through redirected endpoints. Attackers can craft malicious server redirects with comma-separated paths containing Excel formulas to manipulate the generated CSV report...

9.8CVSS0.0038EPSS
Exploits0References3
CVE
CVE
added 2026/01/27 3:23 p.m.11 views

CVE-2021-47901

Dirsearch 0.4.1 is affected by a CSV injection vulnerability exploitable via the --csv-report flag. An attacker can craft malicious server redirects with comma-separated paths containing Excel formulas, enabling manipulation of the generated CSV report. The issue is described across multiple sour...

9.8CVSS5.9AI score0.0038EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/01/27 3:23 p.m.5 views

CVE-2020-36941

Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in spreadsheet...

9.8CVSS6AI score0.00494EPSS
Exploits1References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/01/21 11:26 p.m.3 views

CVE-2026-23873

hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection Formula Injection through the contest rank export functionality contestrank.xls.php and admin/ranklistexport.php. The application fails to sanitize...

5.2CVSS5.8AI score0.00511EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/01/21 11:26 p.m.6 views

CVE-2026-23873 HUSTOJ is Vulnerable to Stored CSV Injection (Formula Injection) in Contest Rank Export

hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection Formula Injection through the contest rank export functionality contestrank.xls.php and admin/ranklistexport.php. The application fails to sanitize...

5.2CVSS6AI score0.00511EPSS
Exploits1References3
NVD
NVD
added 2026/01/16 7:16 p.m.9 views

CVE-2025-61873

Best Practical Request Tracker RT before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used...

2.6CVSS0.00193EPSS
Exploits0References1
OSV
OSV
added 2026/01/16 7:16 p.m.3 views

UBUNTU-CVE-2025-61873

Best Practical Request Tracker RT before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used...

2.6CVSS5.8AI score0.00193EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/01/16 12:0 a.m.3 views

CVE-2025-61873

Best Practical Request Tracker RT before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used...

2.6CVSS5.4AI score0.00193EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/01/16 12:0 a.m.21 views

CVE-2025-61873

Best Practical Request Tracker RT before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used...

2.6CVSS0.00193EPSS
Exploits0References1
CVE
CVE
added 2026/01/16 12:0 a.m.21 views

CVE-2025-61873

Summary: CVE-2025-61873 affects Best Practical Request Tracker (RT). The connected Debian advisory confirms the issue is a CSV injection vulnerability in RT exports to TSV from search results, caused by ticket values containing certain characters and exported in TSV, enabling injection. Debian li...

2.6CVSS6.6AI score0.00193EPSS
Exploits0References1
OSV
OSV
added 2026/01/13 4:42 p.m.5 views

GO-2026-4303 Mattermost Server is vulnerable CSV Injection in github.com/mattermost/mattermost-server

Mattermost Server is vulnerable CSV Injection in github.com/mattermost/mattermost-server...

9.8CVSS7.1AI score0.01285EPSS
Exploits0References4
Rows per page
Query Builder