1937 matches found
CVE-2026-50179 Actual: CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields
Actual is a local-first personal finance tool. Prior to 26.6.0, exportToCSV and exportQueryToCSV in packages/loot-core/src/server/transactions/export/export-to-csv.ts pass user-controlled Payee, Notes, Account, and Category strings to csv-stringify with no cast callback and no formula-prefix...
CVE-2026-46672 Actual: CSV Formula Injection in `@actual-app/cli` `--format csv` Output via Custom `escapeCsv` Helper
Actual is a local-first personal finance app. Prior to 26.6.0, @actual-app/cli ships a hand-rolled CSV serializer in packages/cli/src/output.ts used whenever the global --format csv option is passed, whose escapeCsv helper only handles RFC 4180 delimiter, quote, and newline escaping and does not...
CVE-2026-47693
Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 are vulnerable to CSV Injection Formula Injection in its log export functionality. User-controlled data — specifically the username field — is written to exported CSV files without sanitizing...
CVE-2026-47693
CVE-2026-47693 details (Poweradmin) : Poweradmin, a web-based DNS admin tool for PowerDNS, is vulnerable to CSV Injection in its log export endpoints. User-supplied data (notably the username) is written to exported CSVs without sanitizing formula trigger characters (=, +, -, @). When an admin ex...
CVE-2026-47693 Poweradmin: CSV Injection in log export endpoints allows formula execution in spreadsheet applications
Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 are vulnerable to CSV Injection Formula Injection in its log export functionality. User-controlled data — specifically the username field — is written to exported CSV files without sanitizing...
CSV Injection
Overview Affected versions of this package are vulnerable to CSV Injection in the exportToCSV and exportQueryToCSV processes, where user-controlled input from fields such as Payee and Notes is passed to CSV export without neutralizing formula-triggering characters. An attacker can cause...
CSV Injection
Overview Affected versions of this package are vulnerable to CSV Injection via the escapeCsv function, which fails to neutralize formula-triggering prefixes in user-controlled fields when exporting data to CSV format. An attacker can cause arbitrary formula execution or data exfiltration by...
Debian dsa-6327 : request-tracker4 - security update
The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6327 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6327-1 [email protected] https://www.debian.org/securit...
[SECURITY] [DSA 6327-1] request-tracker4 security update
------------------------------------------------------------------------- Debian Security Advisory DSA-6327-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 07, 2026 https://www.debian.org/security/faq -...
[SECURITY] [DSA 6324-1] request-tracker5 security update
------------------------------------------------------------------------- Debian Security Advisory DSA-6324-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 06, 2026 https://www.debian.org/security/faq -...
Debian dsa-6324 : request-tracker5 - security update
The remote Debian 12 / 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6324 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6324-1 [email protected]...
CVE-2026-10248
A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0. This issue affects the function createsupplier of the file /Exportcsv/export of the component Supplier Creation Interface. This manipulation of the argument Address/Company Name causes csv injection...
CVE-2025-52612
CVE-2025-52612 affects HCL iControl. The vulnerability is described as a CSV export injection that enables reflected cross-site scripting due to insufficient input parameter sanitization. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H) indicates high impact across confidentiality, integ...
PT-2026-46187
HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters...
HCL iControl 安全漏洞
HCL iControl is an IT infrastructure monitoring and automation platform developed by HCL Company in India. HCL iControl has a security vulnerability, which stems from CSV injection during the export of CSV files. Due to insufficient parameter cleaning, reflection-type cross-site scripting attacks...
CVE-2026-10248
A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0. This issue affects the function createsupplier of the file /Exportcsv/export of the component Supplier Creation Interface. This manipulation of the argument Address/Company Name causes csv injection...
CVE-2026-10248 SourceCodester Pharmacy Sales and Inventory System Supplier Creation export create_supplier csv injection
A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0. This issue affects the function createsupplier of the file /Exportcsv/export of the component Supplier Creation Interface. This manipulation of the argument Address/Company Name causes csv injection...
CVE-2026-10248
CVE-2026-10248 affects SourceCodester Pharmacy Sales and Inventory System (up to 1.0). The vulnerability resides in the function create_supplier, within the /Export_csv/export component of the Supplier Creation Interface, where manipulating the Address/Company Name argument enables CSV injection....
PT-2026-45394
A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0. This issue affects the function create supplier of the file /Export csv/export of the component Supplier Creation Interface. This manipulation of the argument Address/Company Name causes csv injection...
CVE-2026-9673
Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications...