QSearchQSearch

CVE-2021-40848

7.8 HIGH

In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exported CSV files could contain characters that a spreadsheet program could int...

Published: 2021-11-03 · Last updated: 2026-06-17

Severity and scoring

CVSS
7.8 HIGH
Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-1236

Affected products

VendorProduct
maharamahara

Description

In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exported CSV files could contain characters that a spreadsheet program could interpret as a command, leading to execution of a malicious string locally on a device, aka CSV injection.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2021-40849 In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being exploite... (9.8 CRITICAL)
  • CVE-2021-43266 In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exporting collections via PDF export could lead to code execution via shell meta... (7.3 HIGH)
  • CVE-2021-43265 In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, certain tag syntax could be used for XSS, such as via a SCRIPT element (5.4 MEDIUM)
  • CVE-2021-43264 In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, adjusting the path component for the page help file allows attackers to bypass t... (3.3 LOW)

Same CWE

  • CVE-2026-5242 Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc (8.8 HIGH)
  • CVE-2025-52612 HCL iControl was affected by Export CSV - CSV Injection vulnerability (7.1 HIGH)
  • CVE-2026-10248 A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0 (4.7 MEDIUM)
  • CVE-2026-9673 Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which... (6.8 MEDIUM)
  • CVE-2026-41073 RT is an open source, enterprise-grade issue and ticket tracking system (4.6 MEDIUM)