CVE-2026-42267

Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLEUSER can create a tag with a formula string as its name e.g. =SUM54+51 via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue joi...

GHSA-3XC2-H5R3-WV3R Kimai vulnerable to formula Injection via tag names in XLSX export

Summary Any ROLEUSER can create a tag with a formula string as its name e.g. =SUM54+51 via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue joins tag names with implode and returns the result unchanged. OpenSpout promotes any...

WordPress Advanced CF7 DB plugin <= 2.0.9 - Missing Authorization to Authenticated (Subscriber+) Form Submissions Excel Export vulnerability

Missing Authorization to Authenticated Subscriber+ Form Submissions Excel Export vulnerability discovered by Kai Aizen in WordPress Plugin Advanced Contact form 7 DB versions = 2.0.9...

EUVD-2026-20530

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vszcf7exporttoexcel' function in all versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with Subscriber-level access an...

HUSTOJ security vulnerabilities

HUSTOJ is a popular OJ system developed by Zhang Haobin zhblue from China. HUSTOJ has security vulnerabilities; these vulnerabilities arise from the application not cleaning the input provided by users before exporting it to .xls files. This may lead to CSV injection and arbitrary command executi...

EUVD-2026-4200

hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection Formula Injection through the contest rank export functionality contestrank.xls.php and admin/ranklistexport.php. The application fails to sanitize...

CVE-2024-30860

netentsec NS-ASG 6.3 is vulnerable to SQL Injection via /admin/exportexceluser.php...

CVE-2024-42485 Filament Excel Vulnerable to Path Traversal Attack on Export Download Endpoint

Filament Excel enables excel export for Filament admin resources. The export download route /filament-excel/path allowed downloading any file without login when the webserver allows ../ in the URL. Patched with Version v2.3.3...

CVE-2024-42485

CVE-2024-42485 affects Filament Excel. The vulnerability exists in the export download route /filament-excel/{path}, where an attacker could leverage directory traversal using ../ to download arbitrary files without authentication when the webserver allows such paths. This could disclose sensitiv...

CVE-2023-46354

The CVE-2023-46354 entry concerns PrestaShop’s Orders (CSV, Excel) Export PRO module (ordersexport)

CVE-2022-26249

Survey King v0.3.0 does not filter data properly when exporting excel files, allowing attackers to execute arbitrary code or access sensitive information via a CSV injection attack...

CVE-2022-26249

Survey King v0.3.0 does not filter data properly when exporting excel files, allowing attackers to execute arbitrary code or access sensitive information via a CSV injection attack...

Design/Logic Flaw

Survey King v0.3.0 does not filter data properly when exporting excel files, allowing attackers to execute arbitrary code or access sensitive information via a CSV injection attack...

CVE-2022-26249

Survey King v0.3.0 does not filter data properly when exporting excel files, allowing attackers to execute arbitrary code or access sensitive information via a CSV injection attack...

Survey King 安全漏洞

Survey King is one of the most powerful, beautiful and easy-to-install open source survey questionnaire systems from the individual developers of Survey King in China. A security vulnerability exists in Survey King version v0.3.0, which stems from the application not properly filtering data when...

November 22, 2021—KB5007253 (OS Builds 19041.1387, 19042.1387, 19043.1387, and 19044.1387) Preview

November 22, 2021—KB5007253 OS Builds 19041.1387, 19042.1387, 19043.1387, and 19044.1387 Preview 11/9/21 IMPORTANT Because of minimal operations during the holidays and the upcoming Western new year, there won’t be a preview release known as a “C” release for the month of December 2021. There wil...

CVE-2021-38180

SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel CSV injection due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to execute macros while...

CVE-2021-24016

An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host...

PYSEC-2021-355

“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and...

Combodo iTop Access Control Error Vulnerability

Combodo iTop is a French company Combodo ITIL-based development and for the daily operation of the IT environment of open source Web applications. The program provides incident management, configuration management and problem management. Combodo iTop 2.8.0 version of the previous security...