CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-31049

CVSS 9.8v3.1pub. 2026-04-14upd. 2026-04-27

An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field

🤖 AI Analysis
How it works

The vulnerability classified as CWE-1236 (Improper Neutralization of Formula Elements in a CSV File) allows an attacker to inject malicious formulas or payloads into the CSV field of the registration form. The lack of server-side input validation causes the uploaded content to be processed in an unsafe manner. As a result, arbitrary code execution on the server and obtaining elevated privileges in the system are possible.

Impact

An attacker can remotely execute arbitrary code on the server (RCE) without requiring any permissions, and subsequently escalate their privileges (privilege escalation), which may lead to complete takeover of the system and compromise of data confidentiality, integrity, and availability.

Mitigation & patch

Hostbill should be updated to a version containing the security patch described in the vendor's official security advisory (https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/) and patches should be applied in accordance with the vendor's release notes from 27.11.2025 and 01.12.2025. It is also recommended to verify registration logs for anomalous input data in CSV fields.

Who is affected

Hostbill in versions 2025-11-24 and 2025-12-01

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCELPE
CWE
References