PT-2025-54212 · Trueconf · Trueconf Server

X00Nullbit

Published

2025-12-30

Updated

2026-01-02

CVE-2025-66834

CVSS v3.1

7.3

High

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions TrueConf Server version 5.5.2.10813

Description A CSV Formula Injection issue exists in TrueConf Server. A standard user can inject harmful spreadsheet formulas into exported chat logs by using a specially crafted Display Name. The vulnerability allows for the injection of malicious formulas when exporting chat logs.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize the Display Name field to prevent the injection of spreadsheet formulas.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1236

Related Identifiers

BDU:2026-04923

CVE-2025-66834

Affected Products

Trueconf Server

PT-2025-54212 · Trueconf · Trueconf Server

CVE-2025-66834

Weakness Enumeration

Related Identifiers

Affected Products

References · 9