CVE-2018-9106

HIGH

Acyba AcySMS < 3.5.0 - CSV Injection via Export Feature

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-9106. PoCs published by Sureshbabu Narvaneni.

AI-analyzed exploit summary This is a writeup describing a CSV injection vulnerability in Joomla! Component AcySMS 3.5.0. The exploit involves renaming a user to include a malicious formula that executes when exported to CSV by a high-privileged user.

Description

CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcySMS extension before 3.5.1 for Joomla! via a value that is mishandled in a CSV export.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Sureshbabu Narvaneni · textwebappsphp

https://www.exploit-db.com/exploits/44370

View Code ZIP pw:eip

This is a writeup describing a CSV injection vulnerability in Joomla! Component AcySMS 3.5.0. The exploit involves renaming a user to include a malicious formula that executes when exported to CSV by a high-privileged user.

Classification

Writeup 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Joomla! Component AcySMS 3.5.0

Auth required

Prerequisites: Access to a low-privileged user account with rename capabilities in AcySMS · High-privileged user to export the data to CSV

MITRE ATT&CK

T1221 - Template Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44370/

Vendor Advisory x_refsource_misc

https://www.acyba.com/acysms/change-log.html

Scores

CVSS v3 8.8

EPSS 0.0564

EPSS Percentile 92.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-1236

Status published

Products (1)

acyba/acysms < 3.5.0

Published Mar 28, 2018

Tracked Since Feb 18, 2026