CVE-2025-62417
HIGHDescription
Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This allows an attacker to supply a CSV field (e.g., product name) that contains a formula which may be evaluated by a victim’s spreadsheet application — potentially leading to data exfiltration and remote command execution (via older Excel exploits / OLE/cmd constructs or Excel macros). This vulnerability is fixed in 2.3.8.
Is your site exposed to CVE-2025-62417?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| webkul | bagisto |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2025-62417? +
How severe is CVE-2025-62417? +
What products are affected by CVE-2025-62417? +
How do I check if I'm vulnerable to CVE-2025-62417? +
Related Vulnerabilities
Data provided in a request performed to the server while activating a new device are put in a database. Other …
phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory …
Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction() stores the request User-Agent header and ReportsController::postActivityReport() writes that …
KWHotel 0.47 is vulnerable to CSV Formula Injection in the invoice adding function.
KWHotel 0.47 is vulnerable to CSV Formula Injection in the add guest function.
There is a CSV injection vulnerability in some HikCentral Master Lite versions. If exploited, an attacker could build malicious data …