CVE-2018-9107

HIGH

Acyba AcyMailing <5.9.6 - CSV Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-9107. PoCs published by Sureshbabu Narvaneni.

AI-analyzed exploit summary This is a writeup describing a CSV injection vulnerability in Joomla's AcyMailing Starter component. The PoC involves renaming a user to include a malicious formula that executes when exported to CSV.

Description

CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcyMailing extension before 5.9.6 for Joomla! via a value that is mishandled in a CSV export.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Sureshbabu Narvaneni · textwebappsphp
https://www.exploit-db.com/exploits/44369

This is a writeup describing a CSV injection vulnerability in Joomla's AcyMailing Starter component. The PoC involves renaming a user to include a malicious formula that executes when exported to CSV.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: AcyMailing Starter for Joomla! < 5.9.6
Auth required
Prerequisites: Access to a low-privileged user account with AcyMailing component access · High-privileged user exporting user data to CSV
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Vendor Advisory x_refsource_misc
https://www.acyba.com/acymailing/change-log.html
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44369/

Scores

CVSS v3 8.8
EPSS 0.0742
EPSS Percentile 93.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-1236
Status published
Products (1)
acyba/acymailing < 5.9.5
Published Mar 28, 2018
Tracked Since Feb 18, 2026