CVE-2025-49597 handcraftedinthealps goodby-csv Potential Gadget Chain allowing Remote Code Execution

handcraftedinthealps goodby-csv is a highly memory efficient, flexible and extendable open-source CSV import/export library. Prior to 1.4.3, goodby-csv could be used as part of a chain of methods that is exploitable when an insecure deserialization vulnerability exists in an application. This...

CVE-2025-49597 handcraftedinthealps goodby-csv Potential Gadget Chain allowing Remote Code Execution

handcraftedinthealps goodby-csv is a highly memory efficient, flexible and extendable open-source CSV import/export library. Prior to 1.4.3, goodby-csv could be used as part of a chain of methods that is exploitable when an insecure deserialization vulnerability exists in an application. This...

CVE-2025-49597

The CVE-2025-49597 entry concerns handcraftedinthealps/goodby-csv prior to version 1.4.3. It describes an insecure deserialization gadget chain that, if an application deserializes untrusted data due to another vulnerability, could be leveraged to achieve remote code execution. The issue is patch...

CVE-2025-49597 handcraftedinthealps goodby-csv Potential Gadget Chain allowing Remote Code Execution

handcraftedinthealps goodby-csv is a highly memory efficient, flexible and extendable open-source CSV import/export library. Prior to 1.4.3, goodby-csv could be used as part of a chain of methods that is exploitable when an insecure deserialization vulnerability exists in an application. This...

PT-2025-25443 · Unknown · Goodby-Csv

Name of the Vulnerable Software and Affected Versions: goodby-csv versions prior to 1.4.3 Description: The issue concerns an insecure deserialization vulnerability in the goodby-csv library, which can be used as part of a "gadget chain" to achieve remote code execution if an application...

Handcrafted in the Alps Goodby CSV 安全漏洞

Handcrafted in the Alps Goodby CSV is a Handcrafted in the Alps open source application. A security vulnerability exists in Handcrafted in the Alps Goodby CSV versions prior to 1.4.3, which stems from insecure deserialization and could lead to remote code execution...

WordPress CSV Mass Importer plugin <= 1.2 - Admin+ Arbitrary File Upload vulnerability

Admin+ Arbitrary File Upload vulnerability discovered by Khaled Alenazi Nxploited in WordPress Plugin CSV Mass Importer versions = 1.2...

com.github.hazendaz:displaytag (>=2.8.0 <=3.3.0), com.github.hazendaz:displaytag-examples (>=2.8.0 <=3.3.0) +8 more potentially affected by CVE-2025-48734 via org.apache.commons:commons-beanutils2 (=2.0.0-M1)

org.apache.commons:commons-beanutils2 MAVEN version =2.0.0-M1 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.commons:commons-beanutils2 and may be impacted: - com.github.hazendaz:displaytag =2.8.0, =2.8.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0,...

CVE-2025-23110

An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting XSS vulnerability in the email-subject field exists while performing an upload of a CSV file containing a list of alert configurations. An attacker can send the victim a CSV file containing the XSS payload in the...

CVE-2024-47485

There is a CSV injection vulnerability in some HikCentral Master Lite versions. If exploited, an attacker could build malicious data to generate executable commands in the CSV file...

CVE-2024-27113

An unauthenticated Insecure Direct Object Reference IDOR to the database has been found in the SO Planning tool that occurs when the public view setting is enabled. An attacker could use this vulnerability to gain access to the underlying database by exporting it as a CSV file. The vulnerability...

CVE-2024-42901

A CSV injection vulnerability in Lime Survey v6.5.12 allows attackers to execute arbitrary code via uploading a crafted CSV file...

CVE-2024-41226

A CSV injection vulnerability in Automation Anywhere Automation 360 version 21094 allows attackers to execute arbitrary code via a crafted payload. NOTE: Automation Anywhere disputes this report, arguing the attacker executes everything from the client side and does not attack the Control Room. T...

CVE-2024-28328

CSV Injection vulnerability in the Asus RT-N12+ router allows administrator users to inject arbitrary commands or formulas in the client name parameter which can be triggered and executed in a different user session upon exporting to CSV format...

CVE-2024-27785

An improper neutralization of formula elements in a CSV File CWE-1236 vulnerability in Fortinet FortiAIOps 2.0.0 may allow a remote authenticated attacker to execute arbitrary commands on a client's workstation via poisoned CSV reports...

CVE-2024-2656

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a CSV import in all versions up to, and including, 5.7.14 due to insufficient input sanitization and output escapin...

CVE-2024-29375

CSV Injection vulnerability in Addactis IBNRS v.3.10.3.107 allows a remote attacker to execute arbitrary code via a crafted .ibnrs file to the Project Description, Identifiers, Custom Triangle Name inside Input Triangles and Yield Curve Name parameters...

CVE-2024-27756

GLPI through 10.0.12 allows CSV injection by an attacker who is able to create an asset with a crafted title...

CVE-2024-24337

CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the 'Budget' and 'Patrons Member' components...

CVE-2024-41806

The Open edX Platform is a learning management platform. Instructors can upload csv files containing learner information to create cohorts in the instructor dashboard. These files are uploaded using the django default storage. With certain storage backends, uploads may become publicly available...