CVE-2023-46400

KWHotel version 0.47 is affected by CVE-2023-46400, a CSV Formula Injection vulnerability present in the add guest function. This flaw, associated with CWE-1236, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact across confidentiality, integrity, and availability.

The vulnerability can be exploited by any unauthenticated attacker with network access, requiring low complexity and no user interaction. Exploitation involves injecting malicious formulas into CSV output generated by the add guest function, potentially leading to arbitrary code execution when the file is processed by spreadsheet applications.

Advisories and further technical details are available in the referenced GitHub gist at https://gist.github.com/6en6ar/5d39374d6ced8acbe489e0b1b932d056. Security practitioners should consult this source for exploitation proofs, patch information, or workarounds specific to KWHotel deployments.