Cyber Posture

CVE-2026-31049

Critical

Published: 14 April 2026

Published
14 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0032 55.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the missing server-side validation of CSV registration fields to prevent arbitrary code execution from malicious inputs.

SI-2 Flaw Remediation good match
prevent

Ensures timely patching of the specific flaw in Hostbill CSV handling as detailed in vendor advisories and release notes.

SI-9 Information Input Restrictions good match
prevent

Restricts the insertion of unauthorized or malformed CSV content into registration processes to block exploitation vectors.

Security SummaryAI

CVE-2026-31049 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting Hostbill versions 2025-11-24 and 2025-12-01. The issue, classified under CWE-1236, enables a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field. Published on 2026-04-14, it represents a severe flaw in the application's handling of CSV imports during registration processes.

Any remote attacker with network access can exploit this vulnerability due to its low attack complexity, lack of required privileges or user interaction, and unchanged impact scope. Exploitation through the CSV registration field allows achievement of high impacts on confidentiality, integrity, and availability, culminating in arbitrary code execution and privilege escalation on the affected Hostbill instance.

Vendor-provided resources detail potential mitigations, including a security advisory at https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/, changelog at https://hostbillapp.com/changelog, and release notes for versions 11-27-2025 and 12-01-2025 at https://hostbillapp.com/release-notes/11-27-2025.html and https://hostbillapp.com/release-notes/12-01-2025.html. A GitHub repository at https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Missing%20Server-Side%20Validation/Registration%20fields%20%26%20Import%20Csv documents the missing server-side validation underlying the flaw.

Details

CWE(s)
CWE-1236

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Unauthenticated remote exploitation of a public-facing web application's CSV registration field enables arbitrary code execution (T1190) and privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References