What is GHSA-pw67-xjhq-389w?

GHSA-pw67-xjhq-389w is a security advisory published by GitHub Security Advisories with High severity. Pycel allows code injection via a crafted formula

Which CVE IDs does GHSA-pw67-xjhq-389w cover?

GHSA-pw67-xjhq-389w covers the following CVE IDs: CVE-2024-53924. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-pw67-xjhq-389w?

GHSA-pw67-xjhq-389w affects 1 product, including: pip/pycel:\u003c= 1.0b30.

GHSA-pw67-xjhq-389wHigh

Pycel allows code injection via a crafted formula

Vendor

GitHub Security Advisories

Published

April 17, 2025

Last Modified

June 8, 2026

🔗 CVE IDs covered (1)

CVE-2024-53924 →

📋 Description

Pycel through 1.0b30, when operating on an untrusted spreadsheet, allows code execution via a crafted formula in a cell, such as one beginning with the =IF(A1=200, eval("__import__('os').system( substring.

🎯 Affected products1

pip/pycel:<= 1.0b30

🔗 References (7)

https://nvd.nist.gov/vuln/detail/CVE-2024-53924
https://gist.github.com/aelmosalamy/cb098e61939718d2bb248fd1cc94f287
https://github.com/dgorissen/pycel
https://github.com/stephenrauch/pycel
https://pypi.org/project/pycel
https://github.com/pypa/advisory-database/tree/main/vulns/pycel/PYSEC-2025-177.yaml
https://github.com/advisories/GHSA-pw67-xjhq-389w