CVE-2026-40544

SOPlanning is affected by a Stored XSS in the backup feature. An authenticated attacker with backup access can upload a crafted ZIP containing a malicious user.csv; the injected script executes in victims’ browsers when they click Edit on the malicious backup. Affected: SOPlanning v1.55 and earli...

CVE-2025-50186 Chamilo: Stored XSS via Malicious CSV Filename in user_import.php

Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting XSS vulnerability exists due to insufficient sanitization of CSV filenames. An attacker can upload a maliciously named CSV file e.g., .csv that leads to JavaScript execution when viewed by...

CVE-2025-50186

Chamilo LMS prior to version 1.11.30 is affected by a stored XSS vulnerability in CSV filenames. The issue arises from insufficient sanitization of uploaded CSV names, allowing an attacker to upload a file such as .csv that can execute JavaScript when viewed by administrators or users with access...

EUVD-2020-17421

Malware in sbrugna...

EUVD-2022-24858

Malicious code in bioql PyPI...

CVE-2025-45755

A Stored Cross-Site Scripting XSS vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improper...

CVE-2025-45755

A Stored Cross-Site Scripting XSS vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improper...

CVE-2025-45755

A Stored Cross-Site Scripting XSS vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improper...

CVE-2024-27321

An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python...

Autolabel 安全漏洞

Autolabel is a Python library open-sourced by refuel-ai. It is used to label, clean, and enrich textual datasets using any Large Language Model LLM. A security vulnerability exists in Autolabel 0.0.8 and earlier versions, which stems from the presence of an arbitrary code execution vulnerability...

WordPress Plugin Members Import 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists...

Mobile Events Manager < 1.4.8 - Admin+ CSV Injection

The plugin does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability. Export events with malicious CSV: 1. Create and save a new Enquiry source and add the following in the name field...

CVE-2020-5298

In OctoberCMS october/october composer package versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the ImportExportController behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a...

CVE-2019-19676

A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung, an attacker can create a user with a name that contains malicious code. Other...

Huawei SmartCare CSV Injection Vulnerability

Huawei SmartCare is an end-to-end user perception enhancement and assurance solution from Huawei, China, to improve customer experience in the telecom sector. A CSV injection vulnerability exists in Huawei SmartCare. A remote attacker can exploit this vulnerability to inject malicious CSV...

CVE-2017-4931

VMware AirWatch Console 9.x prior to 9.2.0 contains a vulnerability that could allow an authenticated AWC user to add malicious data to an enrolled device's log files. Successful exploitation of this issue could result in an unsuspecting AWC user opening a CSV file which contains malicious conten...

BugCrowd CSV Injection

Description: A vulnerability in the file upload feature allows attackers to send malicious csv files. By using the Microsoft Excel DDE function an attacker can launch arbritary commands on the victims system. Many companies don't allow xslx or docx files to be uploaded by security testers, becaus...