XLSX formula injection in exports
Summary
| CVE | CVE-2026-12862 |
|---|---|
| State | PUBLISHED |
| Assigner | rami.io |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-22 10:16:18 UTC |
| Updated | 2026-06-23 15:42:30 UTC |
| Description | Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file. |
Risk And Classification
Primary CVSS: v4.0 5.1 MEDIUM from 655498c3-6ec5-4f0b-aea6-853b334d05a6
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.002260000 probability, percentile 0.131630000 (date 2026-06-28)
Problem Types: CWE-148 | CWE-148 CWE-148 Improper neutralization of input leaders
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | 655498c3-6ec5-4f0b-aea6-853b334d05a6 | Secondary | 5.1 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 5.1 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
NonePrivileges Required
LowUser Interaction
PassiveConfidentiality
NoneIntegrity
LowAvailability
NoneSub Conf.
NoneSub Integrity
LowSub Availability
NoneCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/venueless/venueless/security/advisories/GHSA-5hw3-655h-7m86 | 655498c3-6ec5-4f0b-aea6-853b334d05a6 | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Rokkam Vamshi (en)
There are currently no legacy QID mappings associated with this CVE.