CVE-2026-12862
Received Received - Intake
Formula Injection in Excel Export Feature

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: rami.io

Description
Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-12862
EUVD
EUVD-2026-38220
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
venueless venueless 0a35457f
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-148 The product does not properly handle when a leading character or sequence ("leader") is missing or malformed, or if multiple leaders are used when only one should be allowed.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-12862 occurs in the venueless/venueless software where untrusted user data is passed directly and without proper neutralization to Excel exports intended for administrators.

This allows an attacker to perform formula injection attacks by embedding malicious formulas in the exported Excel files.

When an administrator opens such a file, the malicious formulas can execute and potentially compromise the user's environment or manipulate other data within the file.

Impact Analysis

This vulnerability can impact you by allowing attackers to compromise the environment of users who open the exported Excel files.

The attack requires low privileges and passive user interaction, meaning it can be triggered relatively easily once the malicious file is opened.

While it does not affect confidentiality or availability, it poses a low risk to data integrity and could lead to unauthorized actions or data manipulation within the Excel file.

Detection Guidance

This vulnerability involves untrusted user data being passed verbatim to Excel exports, allowing formula injection. Detection would involve identifying exported Excel files generated by the venueless software that may contain unneutralized formulas.

One approach is to inspect exported Excel files for suspicious formula entries that start with characters like '=', '+', '-', or '@' which are typical indicators of formula injection.

Commands to detect such formulas in exported files could include using tools like 'xlsx2csv' or 'xlsxgrep' to extract and search for formula patterns, or using scripting languages such as Python with libraries like openpyxl to scan cells for formula content.

  • Example command using grep on CSV exports: grep -E '^(=|\+|-|@)' exported_file.csv
  • Using Python openpyxl to scan Excel files for formulas in cells.
Mitigation Strategies

To mitigate this vulnerability, update the venueless software to version 0a35457f or later, where the issue has been addressed.

Additionally, avoid opening Excel exports from untrusted sources or users until the software is updated.

Implement input validation or sanitization to neutralize any formula injection attempts in exported files.

Compliance Impact

The vulnerability involves formula injection through Excel exports, which can compromise the environment of users opening the files or affect other data within those files.

Although the vulnerability poses a low risk to data integrity and does not impact confidentiality or availability, such risks could potentially affect compliance with standards like GDPR or HIPAA that require protection of data integrity and security.

However, there is no explicit information provided about direct impacts on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12862. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart