CWE-1236
AllowedImproper Neutralization of Formula Elements in a CSV File
Abstraction: Base · Status: Incomplete
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
401 vulnerabilities reference this CWE, most recent first.
GHSA-92PP-5G9W-8MGR
Vulnerability from github – Published: 2023-12-29 03:30 – Updated: 2024-01-08 15:30CSV Injection vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to obtain sensitive information via the Delivery Name field.
{
"affected": [],
"aliases": [
"CVE-2023-31294"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-29T03:15:10Z",
"severity": "HIGH"
},
"details": "CSV Injection vulnerability in Sesami Cash Point \u0026 Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to obtain sensitive information via the Delivery Name field.",
"id": "GHSA-92pp-5g9w-8mgr",
"modified": "2024-01-08T15:30:25Z",
"published": "2023-12-29T03:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31294"
},
{
"type": "WEB",
"url": "https://herolab.usd.de/en/security-advisories/usd-2022-0052"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-92RX-J4VP-FPR7
Vulnerability from github – Published: 2025-09-29 21:30 – Updated: 2025-09-29 21:30Medical Informatics Engineering Enterprise Health has a CSV injection vulnerability that allows a remote, authenticated attacker to inject macros in downloadable CSV files. This issue is fixed as of 2025-03-14.
{
"affected": [],
"aliases": [
"CVE-2025-35033"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-29T20:15:32Z",
"severity": "MODERATE"
},
"details": "Medical Informatics Engineering Enterprise Health has a CSV injection vulnerability that allows a remote, authenticated attacker to inject macros in downloadable CSV files. This issue is fixed as of 2025-03-14.",
"id": "GHSA-92rx-j4vp-fpr7",
"modified": "2025-09-29T21:30:26Z",
"published": "2025-09-29T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35033"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-272-01.json"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-35033"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9323-PHPC-VQQM
Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-05-24 17:49IBM Spectrum Scale 5.0.0 through 5.0.5.6 and 5.1.0 through 5.1.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 199403.
{
"affected": [],
"aliases": [
"CVE-2021-29667"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-27T17:15:00Z",
"severity": "HIGH"
},
"details": "IBM Spectrum Scale 5.0.0 through 5.0.5.6 and 5.1.0 through 5.1.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 199403.",
"id": "GHSA-9323-phpc-vqqm",
"modified": "2022-05-24T17:49:00Z",
"published": "2022-05-24T17:49:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29667"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/199403"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6447107"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9435-V4GJ-93WQ
Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 15:30Improper Neutralization of Formula Elements in a CSV File vulnerability in Nakashima Masahiro WP CSV Exporter.This issue affects WP CSV Exporter: from n/a through 2.0.
{
"affected": [],
"aliases": [
"CVE-2022-38702"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T18:15:07Z",
"severity": "HIGH"
},
"details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Nakashima Masahiro WP CSV Exporter.This issue affects WP CSV Exporter: from n/a through 2.0.",
"id": "GHSA-9435-v4gj-93wq",
"modified": "2026-04-28T15:30:35Z",
"published": "2023-11-07T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38702"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-csv-exporter/vulnerability/wordpress-wp-csv-exporter-plugin-1-3-6-authenticated-csv-injection-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/wp-csv-exporter/wordpress-wp-csv-exporter-plugin-1-3-6-authenticated-csv-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-95G8-Q8MM-VPRP
Vulnerability from github – Published: 2025-10-24 15:31 – Updated: 2025-10-24 15:31The AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.6.5. This is due to insufficient sanitization in the 'newcodebyte_chatbot_export_messages' function. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
{
"affected": [],
"aliases": [
"CVE-2025-11576"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-24T13:15:46Z",
"severity": "MODERATE"
},
"details": "The AI Chatbot Free Models \u2013 Customer Support, Live Chat, Virtual Assistant plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.6.5. This is due to insufficient sanitization in the \u0027newcodebyte_chatbot_export_messages\u0027 function. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.",
"id": "GHSA-95g8-q8mm-vprp",
"modified": "2025-10-24T15:31:25Z",
"published": "2025-10-24T15:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11576"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3378450"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5064873b-e70a-4fe6-8c5c-ced6025aaa5f?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-978X-C366-R634
Vulnerability from github – Published: 2023-11-15 21:35 – Updated: 2026-04-28 15:30Improper Neutralization of Formula Elements in a CSV File vulnerability in Muneeb Form Builder | Create Responsive Contact Forms.This issue affects Form Builder | Create Responsive Contact Forms: from n/a through 1.9.9.0.
{
"affected": [],
"aliases": [
"CVE-2023-23796"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T16:15:28Z",
"severity": "CRITICAL"
},
"details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Muneeb Form Builder | Create Responsive Contact Forms.This issue affects Form Builder | Create Responsive Contact Forms: from n/a through 1.9.9.0.",
"id": "GHSA-978x-c366-r634",
"modified": "2026-04-28T15:30:34Z",
"published": "2023-11-15T21:35:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23796"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/contact-form-add/vulnerability/wordpress-form-builder-create-responsive-contact-forms-plugin-1-9-9-0-csv-injection-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/contact-form-add/wordpress-form-builder-create-responsive-contact-forms-plugin-1-9-9-0-csv-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-99WC-G6XM-MV9H
Vulnerability from github – Published: 2022-05-24 16:47 – Updated: 2024-04-04 00:53CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in Workday through 32 via a value (provided by a low-privileged user in a contact form field) that is mishandled in a CSV export.
{
"affected": [],
"aliases": [
"CVE-2019-12134"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-06T14:29:00Z",
"severity": "HIGH"
},
"details": "CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in Workday through 32 via a value (provided by a low-privileged user in a contact form field) that is mishandled in a CSV export.",
"id": "GHSA-99wc-g6xm-mv9h",
"modified": "2024-04-04T00:53:23Z",
"published": "2022-05-24T16:47:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12134"
},
{
"type": "WEB",
"url": "https://sinfosec757.blogspot.com/2019/06/exploit-title-workday-32-csv-injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9F4G-RC6F-W7XQ
Vulnerability from github – Published: 2022-03-31 00:00 – Updated: 2022-04-05 00:00RuoYi v4.7.2 contains a CSV injection vulnerability through ruoyi-admin when a victim opens .xlsx log file.
{
"affected": [],
"aliases": [
"CVE-2022-23868"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-30T11:15:00Z",
"severity": "HIGH"
},
"details": "RuoYi v4.7.2 contains a CSV injection vulnerability through ruoyi-admin when a victim opens .xlsx log file.",
"id": "GHSA-9f4g-rc6f-w7xq",
"modified": "2022-04-05T00:00:36Z",
"published": "2022-03-31T00:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23868"
},
{
"type": "WEB",
"url": "https://gitee.com/y_project/RuoYi/issues/I4RBBD"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9FCG-95MC-3XHM
Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 15:30Improper Neutralization of Formula Elements in a CSV File vulnerability in Jackmail & Sarbacane Emails & Newsletters with Jackmail.This issue affects Emails & Newsletters with Jackmail: from n/a through 1.2.22.
{
"affected": [],
"aliases": [
"CVE-2022-46821"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T17:15:09Z",
"severity": "HIGH"
},
"details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Jackmail \u0026 Sarbacane Emails \u0026 Newsletters with Jackmail.This issue affects Emails \u0026 Newsletters with Jackmail: from n/a through 1.2.22.",
"id": "GHSA-9fcg-95mc-3xhm",
"modified": "2026-04-28T15:30:35Z",
"published": "2023-11-07T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46821"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/jackmail-newsletters/vulnerability/wordpress-emails-newsletters-with-jackmail-plugin-1-2-22-csv-injection?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/jackmail-newsletters/wordpress-emails-newsletters-with-jackmail-plugin-1-2-22-csv-injection?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9FMP-6M55-MF4P
Vulnerability from github – Published: 2022-04-20 00:00 – Updated: 2022-04-28 00:00Invicti Acunetix before 14 allows CSV injection via the Description field on the Add Targets page, if the Export CSV feature is used.
{
"affected": [],
"aliases": [
"CVE-2022-29315"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-19T15:15:00Z",
"severity": "HIGH"
},
"details": "Invicti Acunetix before 14 allows CSV injection via the Description field on the Add Targets page, if the Export CSV feature is used.",
"id": "GHSA-9fmp-6m55-mf4p",
"modified": "2022-04-28T00:00:43Z",
"published": "2022-04-20T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29315"
},
{
"type": "WEB",
"url": "https://the-it-wonders.blogspot.com/2022/04/csv-injection-in-acunetix-version.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No CAPEC attack patterns related to this CWE.