Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-46X4-34F2-J42G

Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2024-02-14 18:30
VLAI
Details

A CSV injection in the codepress-admin-columns (aka Admin Columns) plugin 3.4.6 for WordPress allows malicious users to gain remote control of other computers. By choosing formula code as his first or last name, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-17661"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-08T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A CSV injection in the codepress-admin-columns (aka Admin Columns) plugin 3.4.6 for WordPress allows malicious users to gain remote control of other computers. By choosing formula code as his first or last name, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user\u0027s PC.",
  "id": "GHSA-46x4-34f2-j42g",
  "modified": "2024-02-14T18:30:24Z",
  "published": "2022-05-24T22:01:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17661"
    },
    {
      "type": "WEB",
      "url": "https://www2.deloitte.com/de/de/pages/risk/articles/wordpress-csv-injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4C36-3WHG-3PPX

Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18
VLAI
Details

A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10257"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-01T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.",
  "id": "GHSA-4c36-3whg-3ppx",
  "modified": "2022-05-13T01:18:49Z",
  "published": "2022-05-13T01:18:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10257"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44536"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/147364/HRSALE-The-Ultimate-HRM-1.0.2-CSV-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4FC7-7QM8-3HR4

Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21
VLAI
Details

Open-AudIT before 2.2 has CSV Injection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-9137"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-19T08:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Open-AudIT before 2.2 has CSV Injection.",
  "id": "GHSA-4fc7-7qm8-3hr4",
  "modified": "2022-05-13T01:21:05Z",
  "published": "2022-05-13T01:21:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9137"
    },
    {
      "type": "WEB",
      "url": "https://community.opmantek.com/display/OA/Errata+-+2.1+Security+Update%2C+April+2018"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44511"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4FGP-7VVM-M4JF

Vulnerability from github – Published: 2024-09-12 15:33 – Updated: 2024-09-20 19:16
VLAI
Summary
Refuel Autolab Eval Injection vulnerability
Details

An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "refuel-autolabel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.8"
            },
            {
              "last_affected": "0.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-27321"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236",
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-12T19:49:50Z",
    "nvd_published_at": "2024-09-12T13:15:12Z",
    "severity": "HIGH"
  },
  "details": "An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.",
  "id": "GHSA-4fgp-7vvm-m4jf",
  "modified": "2024-09-20T19:16:57Z",
  "published": "2024-09-12T15:33:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27321"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/refuel-ai/autolabel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/refuel-ai/autolabel/blob/v0.0.16/src/autolabel/dataset/validation.py#L129-L146"
    },
    {
      "type": "WEB",
      "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-autolabel"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Refuel Autolab Eval Injection vulnerability"
}

GHSA-4HVR-HGMW-438R

Vulnerability from github – Published: 2023-07-19 00:31 – Updated: 2024-04-04 06:16
VLAI
Details

A CSV injection vulnerability was found in the Avaya Call Management System (CMS) Supervisor web application which allows a user with administrative privileges to input crafted data which, when exported to a CSV file, may attempt arbitrary command execution on the system used to open the file by a spreadsheet software

such as Microsoft Excel.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3527"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-18T22:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A CSV injection vulnerability was found in the\u00a0Avaya Call Management System (CMS) Supervisor web application which allows a user with administrative privileges to input crafted data which, when exported to a CSV file, may attempt arbitrary command execution on the system used to open the file by a spreadsheet software \n\nsuch as Microsoft Excel.\n\n\u00a0\n\n",
  "id": "GHSA-4hvr-hgmw-438r",
  "modified": "2024-04-04T06:16:36Z",
  "published": "2023-07-19T00:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3527"
    },
    {
      "type": "WEB",
      "url": "https://download.avaya.com/css/public/documents/101086364"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4P76-GP5V-JC39

Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2022-09-21 00:00
VLAI
Details

The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1194"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-16T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability.",
  "id": "GHSA-4p76-gp5v-jc39",
  "modified": "2022-09-21T00:00:46Z",
  "published": "2022-09-17T00:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1194"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/62be0991-f095-43cf-a167-3daaed254594"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4Q3W-JGFX-4792

Vulnerability from github – Published: 2026-01-28 18:30 – Updated: 2026-06-09 20:50
VLAI
Summary
Tendenci is Vulnerable to CSV Formula Injection through its Contact Form Message Field
Details

Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tendenci"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "12.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-36962"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-09T20:50:33Z",
    "nvd_published_at": "2026-01-28T18:16:46Z",
    "severity": "MODERATE"
  },
  "details": "Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like \u0027=10+20+cmd|\u0027 /C calc\u0027!A0\u0027 in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications.",
  "id": "GHSA-4q3w-jgfx-4792",
  "modified": "2026-06-09T20:50:33Z",
  "published": "2026-01-28T18:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36962"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tendenci/tendenci/commit/3e37622cac81440c5a1f97c39f112a2cf4a5450c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tendenci/PYSEC-2026-136.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tendenci/tendenci"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/49145"
    },
    {
      "type": "WEB",
      "url": "https://www.tendenci.com"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/tendenci-csv-formula-injection"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Tendenci is Vulnerable to CSV Formula Injection through its Contact Form Message Field "
}

GHSA-4VXW-8XM6-P5Q8

Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28
VLAI
Details

In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25960"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-29T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "In \u201cSuiteCRM\u201d application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by \u201cCSV Injection\u201d vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure.",
  "id": "GHSA-4vxw-8xm6-p5q8",
  "modified": "2022-05-24T22:28:13Z",
  "published": "2022-05-24T22:28:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25960"
    },
    {
      "type": "WEB",
      "url": "https://github.com/salesagility/SuiteCRM/commit/7124482fe07ee164923d974456ed31e45f65e513"
    },
    {
      "type": "WEB",
      "url": "https://github.com/salesagility/SuiteCRM/commit/f463031bee59676d7d5be53bb32d551cd70a5648"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25960"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4W78-H86P-3C63

Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19
VLAI
Details

IBM API Connect 5.0.0.0, 5.0.8.4, 2018.1 and 2018.3.6 is vulnerable to CSV injection via the developer portal and analytics that could contain malicious commands that would be executed once opened by an administrator. IBM X-Force ID: 148692.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1774"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-09T01:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM API Connect 5.0.0.0, 5.0.8.4, 2018.1 and 2018.3.6 is vulnerable to CSV injection via the developer portal and analytics that could contain malicious commands that would be executed once opened by an administrator. IBM X-Force ID: 148692.",
  "id": "GHSA-4w78-h86p-3c63",
  "modified": "2022-05-13T01:19:28Z",
  "published": "2022-05-13T01:19:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1774"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/148692"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10737867"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-53FW-HRCF-M25V

Vulnerability from github – Published: 2025-02-20 15:31 – Updated: 2025-11-04 21:31
VLAI
Details

PHPJabbers Car Park Booking System v3.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-51311"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-20T15:15:12Z",
    "severity": "HIGH"
  },
  "details": "PHPJabbers Car Park Booking System v3.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.",
  "id": "GHSA-53fw-hrcf-m25v",
  "modified": "2025-11-04T21:31:30Z",
  "published": "2025-02-20T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51311"
    },
    {
      "type": "WEB",
      "url": "https://packetstorm.news/files/id/176494"
    },
    {
      "type": "WEB",
      "url": "https://www.phpjabbers.com/car-park-booking/#sectionDemo"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/176494/PHPJabbers-Car-Park-Booking-System-3.0-CSV-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.