By weakness (CWE)
CWE-1236: related vulnerabilities
CVEs classified under CWE-1236. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
2 published vulnerabilities
- CVE-2025-52612HIGH 7.1
HCL iControl contains a vulnerability that combines CSV injection with reflected cross-site scripting (XSS) in its export function. An authenticated attacker can craft malicious input that, when a user interacts with exported CSV content or follows a specially crafted link, executes arbitrary JavaScript in the victim's browser session. The vulnerability stems from inadequate input validation and sanitization, allowing attackers to inject both CSV formulas and script payloads.
- CVE-2026-10248MEDIUM 4.7
SourceCodester's Pharmacy Sales and Inventory System version 1.0 and earlier contains a CSV injection vulnerability in its supplier creation interface. An authenticated attacker with high privileges can inject malicious CSV formulas through the Address or Company Name fields when exporting supplier data, potentially causing data corruption, formula execution, or information disclosure when a user opens the exported file in a spreadsheet application.