{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31049", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-16T12:06:52.366Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-14T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T13:28:53.517Z"}, "descriptions": [{"lang": "en", "value": "An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://hostbillapp.com/changelog"}, {"url": "https://hostbillapp.com/release-notes/11-27-2025.html"}, {"url": "https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/"}, {"url": "https://hostbillapp.com/responsible-disclosure"}, {"url": "https://hostbillapp.com/release-notes/12-01-2025.html"}, {"url": "https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Missing%20Server-Side%20Validation/Registration%20fields%20%26%20Import%20Csv"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1236", "lang": "en", "description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T11:28:21.277631Z", "id": "CVE-2026-31049", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:06:52.366Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31049", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-16T11:28:21.277631Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1236", "description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T11:29:21.987Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://hostbillapp.com/changelog"}, {"url": "https://hostbillapp.com/release-notes/11-27-2025.html"}, {"url": "https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/"}, {"url": "https://hostbillapp.com/responsible-disclosure"}, {"url": "https://hostbillapp.com/release-notes/12-01-2025.html"}, {"url": "https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Missing%20Server-Side%20Validation/Registration%20fields%20%26%20Import%20Csv"}], "descriptions": [{"lang": "en", "value": "An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T13:28:53.517Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31049", "state": "PUBLISHED", "dateUpdated": "2026-04-16T12:06:52.366Z", "dateReserved": "2026-03-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-14T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field"}], "id": "CVE-2026-31049", "lastModified": "2026-04-16T13:16:48.287", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-14T14:16:13.130", "references": [{"source": "cve@mitre.org", "url": "https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/"}, {"source": "cve@mitre.org", "url": "https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Missing%20Server-Side%20Validation/Registration%20fields%20%26%20Import%20Csv"}, {"source": "cve@mitre.org", "url": "https://hostbillapp.com/changelog"}, {"source": "cve@mitre.org", "url": "https://hostbillapp.com/release-notes/11-27-2025.html"}, {"source": "cve@mitre.org", "url": "https://hostbillapp.com/release-notes/12-01-2025.html"}, {"source": "cve@mitre.org", "url": "https://hostbillapp.com/responsible-disclosure"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1236"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2025-11-24"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2025-12-01"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 92.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "hostbill", "vendor": "hostbillapp"}], "analysis": {"en": {"generated_at": "2026-04-14T14:36:08.996496+00:00", "value": {"mitigation_remediation": ["Upgrade HostBill to the latest release (e.g., 2025-12-01 or later) that removes the vulnerable CSV registration handling.", "If an upgrade is not immediately possible, disable or remove the CSV registration feature to block the attack vector.", "Implement input validation on any CSV processing endpoints to reject malicious syntax before execution.", "Audit logs for abnormal CSV upload activity and block suspicious IP addresses.", "Apply general security hardening: ensure only authorized users can access registration endpoints and enforce the principle of least privilege."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "HostBill, a web-based billing and automation platform, is affected in the October and November 2025 releases (v.2025-11-24 and v.2025-12-01). Users running these versions should verify whether the CSV registration feature is enabled and, if so, consider disabling it until a patch is applied.", "description_and_impact": "An input validation flaw in HostBill allows a remote attacker to inject malicious CSV data during user registration. By submitting specially crafted CSV entries, an attacker can trigger arbitrary code execution on the server, resulting in loss of confidentiality, integrity, and availability. The vulnerability also enables privilege escalation, allowing the attacker to gain elevated permissions beyond those intended for the registration process.", "risk_and_exploitability": "The flaw carries a high severity, with automatic code execution and privilege escalation; the lack of a publicly available exploit or EPSS score is mitigated by the obvious nature of the exploitation path through the CSV upload. Attackers need only access to the registration endpoint; no authentication is required to upload the malicious CSV, meaning users or guests can exploit it. EPSS is unavailable, but the existence of a public advisory and targeted release notes indicates that knowledgeable attackers could weaponize this flaw. The vulnerability is not listed in the CISA KEV catalog, but its impact suggests it is a high\u2011risk issue."}}}}, "created": "2026-04-14T16:16:54.656039+00:00", "title": "Remote Code Execution via Unvalidated CSV Registration in HostBill", "updated": "2026-04-14T16:32:00.081411+00:00", "vendors": ["hostbillapp", "hostbillapp$PRODUCT$hostbill"], "weaknesses": ["CWE-269", "CWE-730"]}