PT-2026-37003 · Unknown · Erpgo Saas

·

CVE-2023-54348

·

Published

2026-05-05

·

Updated

2026-05-05

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions ERPGo SaaS version 3.9
Description An issue exists where authenticated attackers can execute arbitrary code by injecting formula payloads into vendor name fields. This occurs when malicious formulas are entered into the vendor creation form and subsequently executed when the exported CSV file is opened in spreadsheet applications.
Recommendations As a temporary workaround, restrict the use of the vendor creation form or sanitize inputs in the vendor name field to prevent the use of formula characters until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2023-54348

Affected Products

Erpgo Saas