CVE-2021-41128

Name: CVE-2021-41128
Creator: NVD / NIST
Published: 2021-10-06T18:15:11.067+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10EPSS 1.26%

Last modified Jun 17, 2026

CVE-2021-41128 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Hygeia is an application for collecting and processing personal and case data in connection with communicable diseases. In affected versions all CSV Exports (Statistics & BAG MED) contain a CSV Injection Vulnerability. EPSS estimates a 1.26% chance of exploitation in the next 30 days.

Description

Hygeia is an application for collecting and processing personal and case data in connection with communicable diseases. In affected versions all CSV Exports (Statistics & BAG MED) contain a CSV Injection Vulnerability. Users of the system are able to submit formula as exported fields which then get executed upon ingestion of the exported file. There is no validation or sanitization of these formula fields and so malicious may construct malicious code. This vulnerability has been resolved in version 1.30.4. There are no workarounds and all users are advised to upgrade their package.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

1.26%

65.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-74

Affected Software

Vendor	Product	Versions
Hygeia Project	Hygeia	>= 1.11.0, < 1.30.4

References

https://github.com/beatrichartz/csv/issues/103Issue Tracking, Third Party Advisory
https://github.com/beatrichartz/csv/pull/104Third Party Advisory
https://github.com/jshmrtn/hygeia/commit/d917f27432fe84e1c9751222ae55bae36a4dce60Patch, Third Party Advisory
https://github.com/jshmrtn/hygeia/security/advisories/GHSA-8pwv-jhj2-2369Patch, Third Party Advisory
https://owasp.org/www-community/attacks/CSV_InjectionThird Party Advisory
https://github.com/beatrichartz/csv/issues/103Issue Tracking, Third Party Advisory
https://github.com/beatrichartz/csv/pull/104Third Party Advisory
https://github.com/jshmrtn/hygeia/commit/d917f27432fe84e1c9751222ae55bae36a4dce60Patch, Third Party Advisory
https://github.com/jshmrtn/hygeia/security/advisories/GHSA-8pwv-jhj2-2369Patch, Third Party Advisory
https://owasp.org/www-community/attacks/CSV_InjectionThird Party Advisory

Timeline

Published: Oct 6, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-41128?

How severe is CVE-2021-41128?

CVE-2021-41128 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 1.26% probability of exploitation in the next 30 days.

How do I fix CVE-2021-41128?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-41128?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST