CVE-2025-62417Improper Neutralization of Formula Elements in a CSV File in Bagisto

CWE-1236Improper Neutralization of Formula Elements in a CSV File4 documents4 sources
Severity
7.1HIGHNVD
EPSS
0.2%
top 63.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
BagistoWebkul Bagisto
Timeline
PublishedOct 16

Description

Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This allows an attacker to supply a CSV field (e.g., product name) that contains a formula which may be evaluated by a victim’s spreadsheet application — potentially leading to data exfiltration and remote com

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

CVEListV5bagisto/bagisto< 2.3.8
Packagistbagisto/bagisto< 2.3.8
NVDwebkul/bagisto2.3.7

🔴Vulnerability Details

3
GHSA
bagisto has CSV Formula Injection in Create New Product2025-10-16
CVEList
bagisto - CSV Formula Injection in Create New Product2025-10-16
OSV
bagisto has CSV Formula Injection in Create New Product2025-10-16
CVE-2025-62417 — Bagisto vulnerability | cvebase