PYSEC-2025-177

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/pycel/PYSEC-2025-177.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2025-177

Aliases

Published

2025-04-17T18:15:47.603Z

Modified

2026-05-21T15:00:24.228162177Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Pycel through 1.0b30, when operating on an untrusted spreadsheet, allows code execution via a crafted formula in a cell, such as one beginning with the =IF(A1=200, eval("import('os').system( substring.

References

Affected packages

PyPI / pycel

Package

Name: pycel; View open source insights on deps.dev
Purl: pkg:pypi/pycel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.0-beta0

Last affected

1.0-beta11

Last affected

1.0-beta12

Last affected

1.0-beta13

Last affected

1.0-beta14

Last affected

1.0-beta15

Last affected

1.0-beta16

Last affected

1.0-beta17

Last affected

1.0-beta18

Last affected

1.0-beta19

Last affected

1.0-beta2

Last affected

1.0-beta20

Last affected

1.0-beta21

Last affected

1.0-beta22

Last affected

1.0-beta26

Last affected

1.0-beta27

Last affected

1.0-beta28

Last affected

1.0-beta29

Last affected

1.0-beta3

Last affected

1.0-beta30

Last affected

1.0-beta4

Last affected

1.0-beta5

Last affected

1.0-beta6

Last affected

1.0-beta7

Last affected

1.0-beta8

Affected versions

1.*

1.0b0

1.0b2

1.0b3

1.0b4

1.0b5

1.0b6

1.0b7

1.0b8

1.0b11

1.0b12

1.0b13

1.0b14

1.0b15

1.0b16

1.0b17

1.0b18

1.0b19

1.0b20

1.0b21

1.0b22

1.0b26

1.0b27

1.0b28

1.0b29

1.0b30

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/pycel/PYSEC-2025-177.yaml"