CVE-2026-12862

June 22, 2026, 2:16 p.m.

5.1
Medium

Description

Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file.

Product(s) Impacted

Vendor Product Versions
Excel Tool
  • Excel Export
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-148
Improper Neutralization of Input Leaders
The product does not properly handle when a leading character or sequence ("leader") is missing or malformed, or if multiple leaders are used when only one should be allowed.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a excel_tool excel_export / / / / / / / /

References

https://github.com/venueless/venueless/security/advisories/GHSA-5hw3-655h-7m86

Tags

655498c3-6ec5-4f0b-aea6-853b334d05a6
2026-06-22
CVE-2026-12862
CWE-148

CVSS Score

5.1 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: LOW
  • User Interaction: PASSIVE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: June 22, 2026, 10:16 a.m.
Last Modified: June 22, 2026, 2:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

655498c3-6ec5-4f0b-aea6-853b334d05a6

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.