CVE-2026-5242: Code Injection in Mia Technologies' Pizzy Library
Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc. Pizzy Library allows Code Injection. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 1.3.9.26250
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a code injection vulnerability in MIA Technology Inc.'s Pizzy Library, caused by improper neutralization of formula elements in CSV output. The vulnerability is reachable over the network by any authenticated user with a low-privilege account, and no victim interaction is required to trigger it. Successful exploitation gives an attacker full read, write, and availability impact on the affected component. A patched-image rebuild at version 1.3.9.26250 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the Pizzy Library. Any image running a Pizzy Library version from 1.0.0.26250 up to but not including 1.3.9.26250 is flagged automatically.
AvailableHarborGuard scores this CVE at CVSS 8.8 (High) using the published v3.1 vector and can weight that score against each customer environment's compliance policy to prioritize accordingly. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild targeting Pizzy Library 1.3.9.26250 is available on HarborGuard for any environment found running an affected version. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run a regression test suite against the updated image, and open a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable component is exposed over the network, meaning an attacker must be able to reach the service remotely to deliver a malicious CSV payload.
- AuthenticationRequired
A low-privilege account is sufficient; no elevated or administrative credentials are needed to exploit this vulnerability.
- Victim interactionNot required
No user interaction is needed; the attacker can trigger the injection without involving any other party.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.
Blast Radius
- Reads sensitive data from the affected environment, including any information accessible to the running process.
- Modifies application data or system state, as the integrity impact is rated High.
- Crashes or disrupts the availability of the affected service, as the availability impact is rated High.
- Combines all three impacts in a single exploit, making this vulnerability suitable for full application compromise.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication for any image containing Pizzy Library 1.0.0.26250 through 1.3.9.26250 (exclusive). For customers with auto-remediation enabled, HarborGuard rebuilds the image at the fixed version 1.3.9.26250, runs a regression test pass, and opens a PR against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and test results are surfaced in the HarborGuard dashboard for engineer review and one-click promotion to staging or production registries.
Fix available
- MIA Technology Inc. / Pizzy Library< 1.3.9.26250 (from 1.0.0.26250)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H