959 matches found
CVE-2026-47375 NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, an authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional direction argument of ARRAYSORT.... The value is unrestricted by formula...
CVE-2026-47375
CVE-2026-47375 (NocoDB) : A Postgres-backed deployment is vulnerable to authenticated SQL injection through the ARRAYSORT formula when a user with columnAdd permission supplies a malicious second argument. The issue arises because the attacker-controlled value is embedded into a knex.raw ORDER BY...
@actual-app/web has CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields
Summary exportToCSV and exportQueryToCSV in packages/loot-core/src/server/transactions/export/export-to-csv.ts pass user-controlled Payee, Notes, Account, and Category strings to csv-stringify with no cast callback and no formula-prefix neutralization. Strings that begin with =, +, -, @, tab, or...
CSV Injection
Overview Affected versions of this package are vulnerable to CSV Injection in the exportToCSV and exportQueryToCSV processes, where user-controlled input from fields such as Payee and Notes is passed to CSV export without neutralizing formula-triggering characters. An attacker can cause...
@actual-app/cli `--format csv` Output Vulnerable to CSV Formula Injection via Custom `escapeCsv` Helper
Summary @actual-app/cli ships a hand-rolled CSV serializer in packages/cli/src/output.ts used whenever the global --format csv option is passed whose escapeCsv helper only handles RFC 4180 delimiter/quote/newline escaping. It does not neutralize the standard CSV formula-injection prefixes =, +, -...
CSV Injection
Overview @actual-app/cli is a CLI for Actual Budget Affected versions of this package are vulnerable to CSV Injection via the escapeCsv function, which fails to neutralize formula-triggering prefixes in user-controlled fields when exporting data to CSV format. An attacker can cause arbitrary...
CSV Injection
Overview Affected versions of this package are vulnerable to CSV Injection via the escapeCsv function, which fails to neutralize formula-triggering prefixes in user-controlled fields when exporting data to CSV format. An attacker can cause arbitrary formula execution or data exfiltration by...
CVE-2026-12862
Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file...
EUVD-2026-38220
Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file...
CVE-2026-12862
The CVE-2026-12862 entry documents a formula-injection risk in XLSX exports where untrusted user data is passed directly to Excel exports for administrators. Root cause: untrusted data used in the export path enables Excel formulas to be interpreted when the file is opened, potentially compromisi...
CVE-2026-12862 XLSX formula injection in exports
Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file...
CVE-2026-12862
Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file...
PT-2026-51455
Name of the Vulnerable Software and Affected Versions Actual versions prior to 26.6.0 Description Actual is a local-first personal finance tool that fails to neutralize formula-trigger characters when exporting data to CSV. The functions exportToCSV and exportQueryToCSV in...
PT-2026-51447
Name of the Vulnerable Software and Affected Versions @actual-app/cli versions prior to 26.6.0 Description The @actual-app/cli tool contains a CSV serialization issue in the escapeCsv function within packages/cli/src/output.ts. When the --format csv option is used, the serializer only handles...
CVE-2026-8357
LibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow existed when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for that worst case, so such a formula wrote one element pa...
CVE-2026-8357 Heap buffer overflow in Calc formula compilation
LibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow existed when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for that worst case, so such a formula wrote one element pa...
EUVD-2026-36739
LibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow existed when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for that worst case, so such a formula wrote one element pa...
CVE-2026-8357
CVE-2026-8357 affects LibreOffice Calc. A heap buffer overflow occurs when compiling very long formulas with many opening tokens: the nesting-depth tracking array was allocated too small for the worst case, causing writes past the end. In fixed versions the array is sized to hold the largest poss...
CVE-2026-8357 Heap buffer overflow in Calc formula compilation
LibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow existed when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for that worst case, so such a formula wrote one element pa...
CVE-2026-8357
LibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow existed when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for that worst case, so such a formula wrote one element pa...