{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31049", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-16T12:06:52.366Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-14T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T13:28:53.517Z"}, "descriptions": [{"lang": "en", "value": "An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://hostbillapp.com/changelog"}, {"url": "https://hostbillapp.com/release-notes/11-27-2025.html"}, {"url": "https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/"}, {"url": "https://hostbillapp.com/responsible-disclosure"}, {"url": "https://hostbillapp.com/release-notes/12-01-2025.html"}, {"url": "https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Missing%20Server-Side%20Validation/Registration%20fields%20%26%20Import%20Csv"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1236", "lang": "en", "description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T11:28:21.277631Z", "id": "CVE-2026-31049", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:06:52.366Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31049", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-16T11:28:21.277631Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1236", "description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T11:29:21.987Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://hostbillapp.com/changelog"}, {"url": "https://hostbillapp.com/release-notes/11-27-2025.html"}, {"url": "https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/"}, {"url": "https://hostbillapp.com/responsible-disclosure"}, {"url": "https://hostbillapp.com/release-notes/12-01-2025.html"}, {"url": "https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Missing%20Server-Side%20Validation/Registration%20fields%20%26%20Import%20Csv"}], "descriptions": [{"lang": "en", "value": "An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T13:28:53.517Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31049", "state": "PUBLISHED", "dateUpdated": "2026-04-16T12:06:52.366Z", "dateReserved": "2026-03-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-14T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field"}], "id": "CVE-2026-31049", "lastModified": "2026-04-27T19:18:46.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-14T14:16:13.130", "references": [{"source": "cve@mitre.org", "url": "https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/"}, {"source": "cve@mitre.org", "url": "https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Missing%20Server-Side%20Validation/Registration%20fields%20%26%20Import%20Csv"}, {"source": "cve@mitre.org", "url": "https://hostbillapp.com/changelog"}, {"source": "cve@mitre.org", "url": "https://hostbillapp.com/release-notes/11-27-2025.html"}, {"source": "cve@mitre.org", "url": "https://hostbillapp.com/release-notes/12-01-2025.html"}, {"source": "cve@mitre.org", "url": "https://hostbillapp.com/responsible-disclosure"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1236"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2025-11-24"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2025-12-01"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 92.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "hostbill", "vendor": "hostbillapp"}], "analysis": {"en": {"generated_at": "2026-04-17T11:26:57.704828+00:00", "value": {"mitigation_remediation": ["Upgrade HostBill to the latest release (e.g., 2025\u201112\u201101 or later) that removes the vulnerable CSV registration handling.", "If an upgrade is not immediately possible, disable or remove the CSV registration feature to block the attack vector.", "Implement input validation on any CSV processing endpoints to reject malicious syntax before execution.", "Audit logs for abnormal CSV upload activity and block suspicious IP addresses.", "Apply general security hardening: ensure only authorized users can access registration endpoints and enforce the principle of least privilege."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "HostBill, a web\u2011based billing and automation platform, is affected in the November and December 2025 releases (v.2025\u201111\u201124 and v.2025\u201112\u201101). Users running these versions should verify whether the CSV registration feature is enabled and, if so, consider disabling it until a patch is applied.", "description_and_impact": "An input validation flaw in HostBill allows a remote attacker to inject malicious CSV data during user registration. By submitting specially crafted CSV entries, an attacker can trigger arbitrary code execution on the server, resulting in loss of confidentiality, integrity, and availability. The vulnerability also enables privilege escalation, allowing the attacker to gain elevated permissions beyond those intended for the registration process.", "risk_and_exploitability": "The flaw carries a critical severity, with arbitrary code execution and privilege escalation; it is assigned a severity score of 9.8, indicating a very high risk. The exploitation probability is reported as less than 1%, implying a low but nonzero estimated likelihood of exploitation. While no publicly available exploit has yet been discovered, the vulnerability\u2019s nature suggests that a determined attacker could craft malicious CSV data to trigger the flaw. The CVE description does not detail whether authentication is required to access the registration endpoint; if the endpoint is publicly exposed, an unauthenticated attacker may be able to exploit it. The vulnerability is not listed in the CISA KEV catalog, but its impact warrants urgent attention."}}}}, "created": "2026-04-14T16:16:54.656039+00:00", "title": "Remote Code Execution via CSV Registration in HostBill", "updated": "2026-04-17T11:30:16.993743+00:00", "vendors": ["hostbillapp", "hostbillapp$PRODUCT$hostbill"]}