CRITICAL 9.8

PYSEC-2025-177

Details

Pycel through 1.0b30, when operating on an untrusted spreadsheet, allows code execution via a crafted formula in a cell, such as one beginning with the =IF(A1=200, eval("__import__('os').system( substring.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / pycel

Introduced in: 0

No fixed version published yet for pycel (pip). Pin to a known-safe version or switch to an alternative.

References

https://github.com/dgorissen/pycel [PACKAGE]
https://github.com/stephenrauch/pycel [PACKAGE]
https://pypi.org/project/pycel/ [PACKAGE]
https://gist.github.com/aelmosalamy/cb098e61939718d2bb248fd1cc94f287 [EVIDENCE]