XLSX formula injection in exports_CVE-2026-12862

5.1 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Description

Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file.

Basic Information

ID CVE-2026-12862

Source rami.io

Published Jun 22, 2026 at 08:26

Affected Product

Vendor pretix

Product Venueless

Version 0.0.0

Affected Versions pretix Venueless 0.0.0

CWE Classification

CWE-148

References

github.com /venueless/venueless/security/advisories/GHSA-5hw3-655h-7m86

{
    "lastseen": "",
    "description": "Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file.",
    "published": "2026-06-22T08:26:10.365Z",
    "modified": "2026-06-22T08:26:10.365Z",
    "type": "cve",
    "title": "XLSX formula injection in exports",
    "source": "rami.io",
    "references": "https://github.com/venueless/venueless/security/advisories/GHSA-5hw3-655h-7m86",
    "id": "CVE-2026-12862",
    "bulletinFamily": "",
    "cwe": [
        "CWE-148"
    ],
    "cvelist": null,
    "sourceData": "pretix Venueless 0.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Venueless",
    "version": "0.0.0",
    "vendor": "pretix",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}