Description
Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file.
Published: 2026-06-22
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows untrusted user data to be written verbatim into Excel exports for administrators, which can result in formula injection. When an administrator or a user opens the exported file in Excel, the injected formula can be executed, allowing the attacker to run arbitrary code or access sensitive data within the environment of the machine that opens the file. This flaw stems from the failure to validate or sanitize user input before inclusion in the exported spreadsheet (CWE-148).

Affected Systems

The flaw affects the Venueless product developed by Pretix. No specific version numbers are supplied in the advisory, so all versions of Venueless that provide an unfiltered Excel export functionality should be considered potentially vulnerable until the vendor releases a fix.

Risk and Exploitability

With a CVSS score of 5.1, the vulnerability is rated moderate. No EPSS score was disclosed and it is not listed in the CISA KEV catalog, indicating that the vulnerability may not be widely exploited yet. The attack requires a user who can download the export and open it in Excel, so the exploit can be performed locally by anyone capable of executing the file. The flaw is most likely to affect users who have administrative credentials and use the export feature to create spreadsheets for analysis or reporting.

Generated by OpenCVE AI on June 22, 2026 at 11:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-released patch or upgrade to the latest version of Venueless that properly sanitizes user input before generating Excel exports.
  • If a patch is not available, disable Excel formula evaluation or enable the software’s security settings to warn users about potential malicious formulas.
  • Restrict the export feature to trusted administrative users and monitor the system for attempts to download or alter export files.

Generated by OpenCVE AI on June 22, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file.
Title XLSX formula injection in exports
Weaknesses CWE-148
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: rami.io

Published:

Updated: 2026-06-22T08:26:10.365Z

Reserved: 2026-06-22T08:16:55.107Z

Link: CVE-2026-12862

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T11:30:05Z

Weaknesses
  • CWE-148

    Improper Neutralization of Input Leaders