CVE-2024-53924

CRITICAL

Pycel <1.0b30 - RCE

Title source: llm

Description

Pycel through 1.0b30, when operating on an untrusted spreadsheet, allows code execution via a crafted formula in a cell, such as one beginning with the =IF(A1=200, eval("__import__('os').system( substring.

Exploits (1)

nomisec WORKING POC 5 stars

by aelmosalamy · poc

https://github.com/aelmosalamy/CVE-2024-53924

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] https://gist.github.com/aelmosalamy/cb098e61939718d2bb248fd1cc94f287

[Product] https://github.com/dgorissen/pycel

[Product] https://github.com/stephenrauch/pycel

[Product] https://pypi.org/project/pycel/

Scores

CVSS v3 9.8

EPSS 0.0161

EPSS Percentile 81.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (2)

dgorissen/pycel 1.0 beta0 (25 CPE variants)

pypi/pycel 0PyPI

Published Apr 17, 2025

Tracked Since Feb 18, 2026