Description
An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field
Published: 2026-04-14
Score: n/a
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An input validation flaw in HostBill allows a remote attacker to inject malicious CSV data during user registration. By submitting specially crafted CSV entries, an attacker can trigger arbitrary code execution on the server, resulting in loss of confidentiality, integrity, and availability. The vulnerability also enables privilege escalation, allowing the attacker to gain elevated permissions beyond those intended for the registration process.

Affected Systems

HostBill, a web-based billing and automation platform, is affected in the October and November 2025 releases (v.2025-11-24 and v.2025-12-01). Users running these versions should verify whether the CSV registration feature is enabled and, if so, consider disabling it until a patch is applied.

Risk and Exploitability

The flaw carries a high severity, with automatic code execution and privilege escalation; the lack of a publicly available exploit or EPSS score is mitigated by the obvious nature of the exploitation path through the CSV upload. Attackers need only access to the registration endpoint; no authentication is required to upload the malicious CSV, meaning users or guests can exploit it. EPSS is unavailable, but the existence of a public advisory and targeted release notes indicates that knowledgeable attackers could weaponize this flaw. The vulnerability is not listed in the CISA KEV catalog, but its impact suggests it is a high‑risk issue.

Generated by OpenCVE AI on April 14, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HostBill to the latest release (e.g., 2025-12-01 or later) that removes the vulnerable CSV registration handling.
  • If an upgrade is not immediately possible, disable or remove the CSV registration feature to block the attack vector.
  • Implement input validation on any CSV processing endpoints to reject malicious syntax before execution.
  • Audit logs for abnormal CSV upload activity and block suspicious IP addresses.
  • Apply general security hardening: ensure only authorized users can access registration endpoints and enforce the principle of least privilege.

Generated by OpenCVE AI on April 14, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Unvalidated CSV Registration in HostBill
Weaknesses CWE-269
CWE-730

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Hostbillapp
Hostbillapp hostbill
Vendors & Products Hostbillapp
Hostbillapp hostbill

Tue, 14 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field
References

Subscriptions

Hostbillapp Hostbill
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T13:28:53.517Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31049

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-14T14:16:13.130

Modified: 2026-04-14T14:16:13.130

Link: CVE-2026-31049

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:32:00Z

Weaknesses