CVE-2020-36941

CRITICAL

Knockpy 4.1.1 - CSV Injection via Server Header Manipulation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-36941. PoCs published by Dolev Farhi.

AI-analyzed exploit summary This is a technical writeup detailing a CSV injection vulnerability in Knockpy 4.1.1, where unfiltered Server HTTP Response Headers are reflected into CSV output. The author provides vulnerable code segments and an example malicious Nginx configuration to exploit the issue.

Description

Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in spreadsheet applications.

Exploits (1)

exploitdb WRITEUP
by Dolev Farhi · textlocalpython
https://www.exploit-db.com/exploits/49342

This is a technical writeup detailing a CSV injection vulnerability in Knockpy 4.1.1, where unfiltered Server HTTP Response Headers are reflected into CSV output. The author provides vulnerable code segments and an example malicious Nginx configuration to exploit the issue.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Knockpy 4.1.1
No auth needed
Prerequisites: Control over a server's HTTP response headers
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Various Sources product
https://github.com/guelfoweb/knock
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/knockpy-csv-injection
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/49342

Scores

CVSS v3 9.8
EPSS 0.0049
EPSS Percentile 38.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-1236
Status published
Products (2)
guelfoweb/knock 4.1.1
guelfoweb/knockpy 4.1.1
Published Jan 27, 2026
Tracked Since Feb 18, 2026