Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-3QCF-857G-5P4X

Vulnerability from github – Published: 2024-09-25 03:30 – Updated: 2024-09-25 03:30
VLAI
Details

IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a CSV injection vulnerability. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38963"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-25T01:15:26Z",
    "severity": "HIGH"
  },
  "details": "IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a CSV injection vulnerability. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.",
  "id": "GHSA-3qcf-857g-5p4x",
  "modified": "2024-09-25T03:30:35Z",
  "published": "2024-09-25T03:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38963"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7169765"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3RC2-78M3-CQMH

Vulnerability from github – Published: 2026-01-16 21:30 – Updated: 2026-01-16 21:30
VLAI
Details

Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-61873"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-16T19:16:17Z",
    "severity": "LOW"
  },
  "details": "Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used.",
  "id": "GHSA-3rc2-78m3-cqmh",
  "modified": "2026-01-16T21:30:37Z",
  "published": "2026-01-16T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61873"
    },
    {
      "type": "WEB",
      "url": "https://docs.bestpractical.com/release-notes/rt/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3V5G-248Q-Q8GH

Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2022-10-14 12:00
VLAI
Details

A stored CSV Injection vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow an administrative user to store malformed data in LXCA Jobs and Event Log data, that could result in crafted formulas stored in an exported CSV file. The crafted formula is not executed on LXCA itself.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-6182"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-03T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A stored CSV Injection vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow an administrative user to store malformed data in LXCA Jobs and Event Log data, that could result in crafted formulas stored in an exported CSV file. The crafted formula is not executed on LXCA itself.",
  "id": "GHSA-3v5g-248q-q8gh",
  "modified": "2022-10-14T12:00:19Z",
  "published": "2022-05-24T16:55:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6182"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/solutions/LEN-27805"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3XC2-H5R3-WV3R

Vulnerability from github – Published: 2026-05-05 20:53 – Updated: 2026-05-14 20:31
VLAI
Summary
Kimai vulnerable to formula Injection via tag names in XLSX export
Details

Summary

Any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue() joins tag names with implode() and returns the result unchanged. OpenSpout promotes any =-prefixed string to a FormulaCell, writing <f>SUM(54+51)</f> into the XLSX archive. Excel evaluates the formula when the file is opened.

Details

1. ArrayFormatter does not sanitize before returning

sanitizeDDE() exists on StringHelper and is called by TextFormatter, but ArrayFormatter never calls it.

// src/Export/Package/CellFormatter/ArrayFormatter.php:24
return implode(', ', $value);  // no sanitizeDDE() call

2. Tag name validation does not block formula trigger characters

The API blocks commas in tag names but permits =, +, -, and @ - all valid formula prefixes in Excel and LibreOffice Calc.

3. OpenSpout silently promotes strings to formula cells

Cell::fromValue("=SUM(54+51)") returns a FormulaCell with no warning.

PoC

  1. It logs in as normal user, creates tag =SUM(54+51), assigns it to a timesheet.
  2. Admin has to export timesheets to Excel version via /en/export/ endpoint.

image

formula_injection_tags

Impact

  • Any ROLE_USER can plant a formula that executes on the workstation of any user who exports and opens timesheet data
  • A single malicious tag poisons all future exports across all users and date ranges until the tag is deleted

Fixes

  1. Prevent = being part of the tag name (and other fields as well)
  2. Use OpenSpout TextCell for everything that is a string
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.53.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "kimai/kimai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.27.0"
            },
            {
              "fixed": "2.54.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T20:53:38Z",
    "nvd_published_at": "2026-05-08T04:16:20Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nAny `ROLE_USER` can create a tag with a formula string as its name (e.g. `=SUM(54+51)`) via `POST /api/tags` and assign it to a timesheet. When an admin exports timesheets to XLSX, `ArrayFormatter.formatValue()` joins tag names with `implode()` and returns the result unchanged. OpenSpout promotes any `=`-prefixed string to a `FormulaCell`, writing `\u003cf\u003eSUM(54+51)\u003c/f\u003e` into the XLSX archive. Excel evaluates the formula when the file is opened.\n\n## Details\n\n### 1. `ArrayFormatter` does not sanitize before returning\n\n`sanitizeDDE()` exists on `StringHelper` and is called by `TextFormatter`, but `ArrayFormatter` never calls it.\n```php\n// src/Export/Package/CellFormatter/ArrayFormatter.php:24\nreturn implode(\u0027, \u0027, $value);  // no sanitizeDDE() call\n```\n\n### 2. Tag name validation does not block formula trigger characters\n\nThe API blocks commas in tag names but permits `=`, `+`, `-`, and `@` - all valid formula prefixes in Excel and LibreOffice Calc.\n\n### 3. OpenSpout silently promotes strings to formula cells\n\n`Cell::fromValue(\"=SUM(54+51)\")` returns a `FormulaCell` with no warning.\n\n### PoC\n\n1. It logs in as normal user, creates tag `=SUM(54+51)`, assigns it to a timesheet.\n2. Admin has to export timesheets to Excel version via `/en/export/` endpoint.\n\n\u003cimg width=\"1339\" height=\"700\" alt=\"image\" src=\"https://github.com/user-attachments/assets/884c7943-5e3b-4647-8bcc-e264d6719d66\" /\u003e\n\n\u003cimg width=\"1304\" height=\"128\" alt=\"formula_injection_tags\" src=\"https://github.com/user-attachments/assets/ef28f2ad-7491-4a15-bb18-1fcd6ff5e55a\" /\u003e\n\n## Impact\n\n- Any `ROLE_USER` can plant a formula that executes on the workstation of any user who exports and opens timesheet data\n- A single malicious tag poisons all future exports across all users and date ranges until the tag is deleted\n\n## Fixes\n\n1. Prevent `=` being part of the tag name (and other fields as well)\n2. Use OpenSpout `TextCell` for everything that is a string",
  "id": "GHSA-3xc2-h5r3-wv3r",
  "modified": "2026-05-14T20:31:08Z",
  "published": "2026-05-05T20:53:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/security/advisories/GHSA-3xc2-h5r3-wv3r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42267"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kimai/kimai"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/releases/tag/2.54.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Kimai vulnerable to formula Injection via tag names in XLSX export"
}

GHSA-3XR4-XCG2-6XQ7

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16
VLAI
Details

An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-24016"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-30T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host.",
  "id": "GHSA-3xr4-xcg2-6xq7",
  "modified": "2022-05-24T19:16:12Z",
  "published": "2022-05-24T19:16:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24016"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/advisory/FG-IR-20-190"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-42FC-CX25-7F9X

Vulnerability from github – Published: 2023-06-09 06:30 – Updated: 2024-04-04 04:41
VLAI
Details

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to CSV injection in versions up to, and including, 3.3.0. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0721"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-09T06:15:53Z",
    "severity": "HIGH"
  },
  "details": "The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to CSV injection in versions up to, and including, 3.3.0. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.",
  "id": "GHSA-42fc-cx25-7f9x",
  "modified": "2024-04-04T04:41:16Z",
  "published": "2023-06-09T06:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0721"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/metform/trunk/core/entries/export.php?rev=2845078"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/2907471"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ccd85a72-1872-4c4f-8ba7-7f91b0b37d4a?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-42PG-83VP-H57G

Vulnerability from github – Published: 2022-11-29 06:30 – Updated: 2022-11-29 06:30
VLAI
Details

A remote attacker with general user privilege can inject malicious code in the form content of Raiden MAILD Mail Server website. Other users export form content as CSV file can trigger arbitrary code execution and allow the attacker to perform arbitrary system operation or disrupt service on the user side.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-41675"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-29T04:15:00Z",
    "severity": "HIGH"
  },
  "details": "A remote attacker with general user privilege can inject malicious code in the form content of Raiden MAILD Mail Server website. Other users export form content as CSV file can trigger arbitrary code execution and allow the attacker to perform arbitrary system operation or disrupt service on the user side.",
  "id": "GHSA-42pg-83vp-h57g",
  "modified": "2022-11-29T06:30:19Z",
  "published": "2022-11-29T06:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41675"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-6738-b78f4-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4386-29WM-8H9P

Vulnerability from github – Published: 2023-09-06 21:32 – Updated: 2024-04-04 07:32
VLAI
Details

SearchBlox before Version 9.2.1 is vulnerable to CSV macro injection in "Featured Results" parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-10131"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-06T19:15:43Z",
    "severity": "CRITICAL"
  },
  "details": "SearchBlox before Version 9.2.1 is vulnerable to CSV macro injection in \"Featured Results\" parameter.",
  "id": "GHSA-4386-29wm-8h9p",
  "modified": "2024-04-04T07:32:15Z",
  "published": "2023-09-06T21:32:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10131"
    },
    {
      "type": "WEB",
      "url": "https://developer.searchblox.com/v9.2/changelog/version-921"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-44GH-JRG2-9M35

Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18
VLAI
Details

The WebDorado "Form Maker by WD" plugin before 1.12.24 for WordPress allows CSV injection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10504"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-27T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "The WebDorado \"Form Maker by WD\" plugin before 1.12.24 for WordPress allows CSV injection.",
  "id": "GHSA-44gh-jrg2-9m35",
  "modified": "2022-05-13T01:18:50Z",
  "published": "2022-05-13T01:18:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10504"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/form-maker/#developers"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44559"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-452H-X3W8-JMMH

Vulnerability from github – Published: 2024-03-12 15:32 – Updated: 2024-03-12 15:32
VLAI
Details

A improper neutralization of formula elements in a csv file in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, 7.0.0 through 7.0.10, 6.4.0 through 6.4.9, 6.2.0 through 6.2.9, 6.0.0 through 6.0.8 allows attacker to execute unauthorized code or commands via specially crafted packets.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47534"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-12T15:15:46Z",
    "severity": "CRITICAL"
  },
  "details": "A improper neutralization of formula elements in a csv file in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, 7.0.0 through 7.0.10, 6.4.0 through 6.4.9, 6.2.0 through 6.2.9, 6.0.0 through 6.0.8 allows attacker to execute unauthorized code or commands via specially crafted packets.",
  "id": "GHSA-452h-x3w8-jmmh",
  "modified": "2024-03-12T15:32:21Z",
  "published": "2024-03-12T15:32:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47534"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-23-390"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.