CVE-2025-60852

MEDIUM

Instant Developer Foundation <25.0.9600 - Code Injection

Title source: llm

Description

A CSV Injection vulnerability existed in Instant Developer Foundation versions prior to 25.0.9600. Applications built with affected versions of the framework did not properly sanitize user-controlled input before including it in CSV exports. This issue could lead to code execution on the system where the exported CSV file is opened.

Exploits (2)

github WRITEUP 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-60852

View Code ZIP pw:eip

nomisec WORKING POC

by valeriocassoni · poc

https://github.com/valeriocassoni/CSV-Injection-in-Instant-Developer-Foundation-25.0-PoC

View Code ZIP pw:eip

References (3)

[Various Sources] https://instantdeveloper.com/lp/cloud-freelance/index.html

[Various Sources] https://doc.instantdeveloper.com/eng/default.aspx?artid=a6c69034-d1ee-4057-b19d-40505151ec8e&lang=eng

[Various Sources] https://github.com/valeriocassoni/CSV-Injection-in-Instant-Developer-Foundation-25.0-PoC

Scores

CVSS v3 6.5

EPSS 0.0006

EPSS Percentile 19.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE

CWE-1236

Status published

Published Oct 23, 2025

Tracked Since Feb 18, 2026