CVE-2021-46363

HIGH

Magnolia CMS < 6.2.4 - Formula Injection via CSV/XLS Export

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-46363. PoCs published by mbadanoiu.

AI-analyzed exploit summary This repository provides a writeup for CVE-2021-46363, a formula injection vulnerability in Magnolia CMS v6.2.3 and below. The vulnerability allows attackers to inject malicious formulas into exported CSV/XLS files, potentially leading to arbitrary code execution when opened in Microsoft Excel.

Description

An issue in the Export function of Magnolia v6.2.3 and below allows attackers to perform Formula Injection attacks via crafted CSV/XLS files. These formulas may result in arbitrary code execution on a victim's computer when opening the exported files with Microsoft Excel.

Exploits (1)

nomisec WRITEUP
by mbadanoiu · poc
https://github.com/mbadanoiu/CVE-2021-46363

This repository provides a writeup for CVE-2021-46363, a formula injection vulnerability in Magnolia CMS v6.2.3 and below. The vulnerability allows attackers to inject malicious formulas into exported CSV/XLS files, potentially leading to arbitrary code execution when opened in Microsoft Excel.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Magnolia CMS v6.2.3 and below
Auth required
Prerequisites: Valid user credentials · Access to export functionality
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.8
EPSS 0.0123
EPSS Percentile 79.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-1236
Status published
Products (2)
info.magnolia/magnolia-core 0 - 6.2.4Maven
magnolia-cms/magnolia_cms < 6.2.4
Published Feb 11, 2022
Tracked Since Feb 18, 2026