GHSA-X2V3-9P22-W3X6 phpMyFAQ contains a CSV injection vulnerability

phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV fil...

PT-2025-51967

Name of the Vulnerable Software and Affected Versions phpMyFAQ version 3.1.12 Description The software contains a CSV injection flaw that permits authenticated users to inject malicious formulas into their profile names. An attacker can modify their user profile name with a payload such as...

CVE-2025-42891 Missing Authorization check in SAP Enterprise Search for ABAP

Due to a missing authorization check in SAP Enterprise Search for ABAP, an attacker with high privileges may read and export the contents of database tables into an ABAP report. This could lead to a high impact on data confidentiality and a low impact on data integrity. There is no impact on...

CVE-2025-62417 bagisto - CSV Formula Injection in Create New Product

Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula character for example =, +, -, or @ is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This...

EUVD-2021-0241

Malware in sbrugna...

EUVD-2021-13793

Malware in sbrugna...

EUVD-2024-17424

Malicious code in bioql PyPI...

EUVD-2024-50429

Malicious code in bioql PyPI...

PT-2025-35312

Name of the Vulnerable Software and Affected Versions: Voice Changer App versions up to 1.1.0 Description: A vulnerability exists in Voice Changer App due to improper export of Android application components resulting from unknown processing of the AndroidManifest.xml file within the...

Yeelight App 安全漏洞

Yeelight App is an application for controlling smart lighting products from the Chinese company Yeelight. A security vulnerability exists in Yeelight App 3.5.4 and earlier versions, which originates from the file AndroidManifest.xml that causes improper export of Android components...

PT-2025-27855 · WordPress · Booking X

Name of the Vulnerable Software and Affected Versions: Booking X plugin for WordPress versions 1.0 through 1.1.2 Description: The issue allows unauthorized access to data due to a missing capability check on the export now function. This enables unauthenticated attackers to download all plugin...

CVE-2024-13693

The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-export-class.php in all versions up to, and including, 6.0.9. This makes it possible for unauthenticated attackers to export all avia settings which may included sensitive...

PT-2025-6610 · WordPress · Formcraft

Name of the Vulnerable Software and Affected Versions: FormCraft plugin for WordPress versions up to and including 3.9.11 Description: The issue arises from a missing capability check in formcraft-main.php, allowing authenticated attackers with Subscriber-level access and above to export all plug...

thunderbird: Unsanitized address book fields

A flaw was found in Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For...

CSV Injection on node label

Summary CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. An authenticated malicious user can insert a crafted formula in the node label that can be later executed on another system after another user has downloaded and opened the node li...