CVE-2023-36250

HIGH

GNOME time tracker <3.0.2 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-36250. PoCs published by BrunoTeixeira1996.

AI-analyzed exploit summary This repository describes a CSV Injection vulnerability in GNOME time tracker v3.0.2, where crafted .tsv files can execute arbitrary formulas when opened in spreadsheet software. The PoC demonstrates formula injection (e.g., =3+3) but lacks executable code.

Description

CSV Injection vulnerability in GNOME time tracker version 3.0.2, allows local attackers to execute arbitrary code via crafted .tsv file when creating a new record.

Exploits (1)

nomisec WRITEUP 3 stars

by BrunoTeixeira1996 · poc

https://github.com/BrunoTeixeira1996/CVE-2023-36250

View Code ZIP pw:eip

This repository describes a CSV Injection vulnerability in GNOME time tracker v3.0.2, where crafted .tsv files can execute arbitrary formulas when opened in spreadsheet software. The PoC demonstrates formula injection (e.g., =3+3) but lacks executable code.

Classification

Writeup 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: GNOME time tracker v3.0.2

No auth needed

Prerequisites: Ability to create or modify a .tsv file in the target application

MITRE ATT&CK

T1221 - Template Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://github.com/BrunoTeixeira1996/CVE-2023-36250/blob/main/README.md

View Exploit ZIP pw:eip

Scores

CVSS v3 7.8

EPSS 0.0056

EPSS Percentile 42.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-74

Status published

Products (1)

gnome/gnome-time_tracker 3.0.2

Published Sep 14, 2023

Tracked Since Feb 18, 2026