CVE-2026-12862 · Symaro Security Advisory

Description

Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file.

Severity (CVSS)

Base score	5.1
Severity	Medium
Version	CVSS 4.0
Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
Provided by	CNA

Weaknesses

CWE-148 — CWE-148 Improper neutralization of input leaders

Affected products

Vendor	Product	Versions
pretix	Venueless	0.0.0 to <0a35457f

References

https://github.com/venueless/venueless/security/advisories/GHSA-5hw3-655h-7m86

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 22 Jun 2026 14:43 UTC.