ProjectSend r1605 contains a CSV injection vulnerability... · CVE-2023-53905 · GitHub Advisory Database · GitHub

ProjectSend r1605 contains a CSV injection vulnerability...

Moderate severity Unreviewed Published Dec 18, 2025 to the GitHub Advisory Database • Updated Dec 18, 2025

Package

No package listed— Suggest a package

Affected versions

Unknown

Patched versions

Unknown

Description

ProjectSend r1605 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into user profile names. Attackers can craft payloads like =calc|a!z| in the name field to trigger code execution when administrators export action logs as CSV files.

References

Published by the National Vulnerability Database

Dec 17, 2025

Published to the GitHub Advisory Database Dec 18, 2025

Last updated Dec 18, 2025

Severity

Moderate

/ 10

CVSS v4 base metrics

Exploitability Metrics

Attack Vector Network

Attack Complexity Low

Attack Requirements None

Privileges Required Low

User interaction Active

Vulnerable System Impact Metrics

Confidentiality None

Integrity None

Availability None

Subsequent System Impact Metrics

Confidentiality High

Integrity High

Availability None

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X