CVE-2026-12862
MEDIUMpretix Venueless - XLSX Formula Injection in Exports
Title source: ruleDescription
Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file.
References (1)
Core 1
Scores
CVSS v4
5.1
EPSS
0.0023
EPSS Percentile
13.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-148
Status
published
Products (1)
pretix/Venueless
0.0.0 - 0a35457f
Published
Jun 22, 2026
Tracked Since
Jun 22, 2026