CVE-2021-47901 | THREATINT

Description

Dirsearch 0.4.1 contains a CSV injection vulnerability when using the --csv-report flag that allows attackers to inject formulas through redirected endpoints. Attackers can craft malicious server redirects with comma-separated paths containing Excel formulas to manipulate the generated CSV report.

PUBLISHED Reserved 2026-01-18 | Published 2026-01-27 | Updated 2026-01-27 | Assigner VulnCheck

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Formula Elements in a CSV File

Product status

0.4.1

affected

Credits

Dolev Farhi finder

References

www.exploit-db.com/exploits/49370 (ExploitDB-49370) exploit

github.com/maurosoria/dirsearch (dirsearch GitHub Repository) product

www.vulncheck.com/advisories/dirsearch-csv-injection (VulnCheck Advisory: dirsearch 0.4.1 - CSV Injection) third-party-advisory

cve.org (CVE-2021-47901)

nvd.nist.gov (CVE-2021-47901)

Download JSON