Cyber Resilience

CVE-2025-55745

LowPublic PoC

Published: 22 August 2025

Published
22 August 2025
Modified
25 August 2025
KEV Added
Patch
CVSS Score v4 2.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0051 66.8th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55745 is a low-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Webkul Unopim. Its CVSS base score is 2.5 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

UnoPim, an open-source Product Information Management (PIM) system built on the Laravel framework, contains a CSV injection vulnerability, also known as formula injection, in its Quick Export feature. This affects versions 0.3.0 and prior. The flaw allows attackers to inject malicious content into exported CSV files, which spreadsheet applications like Microsoft Excel may interpret as formulas or commands upon opening.

Unauthenticated attackers (PR:N) with network access can exploit this vulnerability by crafting malicious payloads that get embedded in the CSV exports. Victims who download and open these files in compatible spreadsheet software, and interact with potentially dangerous content (UI:R), risk arbitrary code execution on their local device. Successful exploitation enables remote code execution, such as establishing a reverse shell, with high confidentiality, integrity, and availability impacts (CVSS 8.8).

The UnoPim security advisory and associated GitHub commit recommend upgrading to version 0.3.1 or later as the primary mitigation. The patch addresses the injection issue in the Quick Export functionality, preventing malicious formula execution in exported files.

EU & UK References

Vulnerability details

UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Versions 0.3.0 and prior are vulnerable to CSV injection, also known as formula injection, in the Quick Export feature. This vulnerability allows attackers to inject malicious…

more

content into exported CSV files. When the CSV file is opened in spreadsheet applications such as Microsoft Excel, the malicious input may be interpreted as a formula or command, potentially resulting in the execution of arbitrary code on the victim's device. Successful exploitation can lead to remote code execution, including the establishment of a reverse shell. Users are advised to upgrade to version 0.3.1 or later.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

CVE enables server-side injection via public app (T1190) to embed malicious formulas in exported CSV, directly facilitating client-side execution via malicious file (T1204.002) leading to RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21447Same vendor: Webkul
CVE-2026-21448Same vendor: Webkul
CVE-2020-36962Shared CWE-1236
CVE-2024-45084Shared CWE-1236
CVE-2026-21446Same vendor: Webkul
CVE-2026-38530Same vendor: Webkul
CVE-2025-67325Same vendor: Webkul
CVE-2026-35157Shared CWE-1236
CVE-2026-21450Same vendor: Webkul
CVE-2026-21451Same vendor: Webkul

Affected Assets

webkul
unopim
≤ 0.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents CSV injection by filtering malicious formulas and commands from data prior to export in spreadsheet-compatible formats.

prevent

Requires timely remediation of the specific CSV injection flaw through software updates, as recommended in the UnoPim advisory to version 0.3.1.

prevent

Validates and sanitizes user-supplied inputs that could contain malicious payloads before they are processed and exported via the Quick Export feature.

References