Lucene search
K

5 matches found

Github Security Blog
Github Security Blog
added 2026/06/22 9:42 p.m.8 views

@actual-app/cli `--format csv` Output Vulnerable to CSV Formula Injection via Custom `escapeCsv` Helper

Summary @actual-app/cli ships a hand-rolled CSV serializer in packages/cli/src/output.ts used whenever the global --format csv option is passed whose escapeCsv helper only handles RFC 4180 delimiter/quote/newline escaping. It does not neutralize the standard CSV formula-injection prefixes =, +, -...

4.6CVSS6.1AI score0.00188EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/02/03 12:30 p.m.8 views

Moodle formula injection vulnerability

A flaw was found in Moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to...

7.8CVSS5.7AI score0.00251EPSS
Exploits0References8Affected Software1
OSV
OSV
added 2026/02/03 11:15 a.m.4 views

UBUNTU-CVE-2025-67851

A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to...

7.8CVSS6AI score0.00251EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/02/03 10:52 a.m.27 views

CVE-2025-67851 Moodle: moodle: formula injection allows arbitrary formula execution via unescaped data export

A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to...

6.1CVSS0.00251EPSS
Exploits0References3
CVE
CVE
added 2025/10/16 6:32 p.m.11 views

CVE-2025-62417

Bagisto (open-source Laravel eCommerce platform) is affected by CVE-2025-62417 due to improper handling of leading spreadsheet formula characters (e.g., =, +, -, @) in CSV data, allowing formulas to be interpreted when a CSV is opened in spreadsheet software. This leads to potential data exfiltra...

8.5CVSS6.7AI score0.00366EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder