An input validation flaw in HostBill allows a remote attacker to inject malicious CSV data during user registration. By submitting specially crafted CSV entries, an attacker can trigger arbitrary code execution on the server, resulting in loss of confidentiality, integrity, and availability. The vulnerability also enables privilege escalation, allowing the attacker to gain elevated permissions beyond those intended for the registration process.

HostBill, a web‑based billing and automation platform, is affected in the November and December 2025 releases (v.2025‑11‑24 and v.2025‑12‑01). Users running these versions should verify whether the CSV registration feature is enabled and, if so, consider disabling it until a patch is applied.

The flaw carries a critical severity, with arbitrary code execution and privilege escalation; it is assigned a severity score of 9.8, indicating a very high risk. The exploitation probability is reported as less than 1%, implying a low but nonzero estimated likelihood of exploitation. While no publicly available exploit has yet been discovered, the vulnerability’s nature suggests that a determined attacker could craft malicious CSV data to trigger the flaw. The CVE description does not detail whether authentication is required to access the registration endpoint; if the endpoint is publicly exposed, an unauthenticated attacker may be able to exploit it. The vulnerability is not listed in the CISA KEV catalog, but its impact warrants urgent attention.