CVE-2025-22978

CriticalPublic PoC

Published: 03 February 2025

Published

03 February 2025

Modified

20 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0051 66.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

eladmin <=2.7 is vulnerable to CSV Injection in the exception log download module.

Security Summary

CVE-2025-22978 is a CSV Injection vulnerability affecting eladmin versions 2.7 and earlier, specifically in the exception log download module. Published on 2025-02-03, this issue falls under CWE-74 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impacts across confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation allows adversaries to inject malicious payloads into the CSV output, potentially leading to high-level compromise of systems that process the downloaded logs.

Mitigation is provided through a patch in the commit at https://github.com/elunez/eladmin/commit/d6a16e9afc0a3b96a56f1a24ed167e1beec6ce2f. Additional details on the vulnerability are documented in the GitHub issue at https://github.com/elunez/eladmin/issues/863.

Details

CWE(s): CWE-74

Affected Products

eladmin

≤ 2.7

References

https://github.com/elunez/eladmin/commit/d6a16e9afc0a3b96a56f1a24ed167e1beec6ce2f
cve@mitre.org
https://github.com/elunez/eladmin/issues/863
Exploit, Issue Tracking, Vendor Advisory · cve@mitre.org