Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-92PP-5G9W-8MGR

Vulnerability from github – Published: 2023-12-29 03:30 – Updated: 2024-01-08 15:30
VLAI
Details

CSV Injection vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to obtain sensitive information via the Delivery Name field.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31294"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-29T03:15:10Z",
    "severity": "HIGH"
  },
  "details": "CSV Injection vulnerability in Sesami Cash Point \u0026 Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to obtain sensitive information via the Delivery Name field.",
  "id": "GHSA-92pp-5g9w-8mgr",
  "modified": "2024-01-08T15:30:25Z",
  "published": "2023-12-29T03:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31294"
    },
    {
      "type": "WEB",
      "url": "https://herolab.usd.de/en/security-advisories/usd-2022-0052"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-92RX-J4VP-FPR7

Vulnerability from github – Published: 2025-09-29 21:30 – Updated: 2025-09-29 21:30
VLAI
Details

Medical Informatics Engineering Enterprise Health has a CSV injection vulnerability that allows a remote, authenticated attacker to inject macros in downloadable CSV files. This issue is fixed as of 2025-03-14.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-35033"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-29T20:15:32Z",
    "severity": "MODERATE"
  },
  "details": "Medical Informatics Engineering Enterprise Health has a CSV injection vulnerability that allows a remote, authenticated attacker to inject macros in downloadable CSV files. This issue is fixed as of 2025-03-14.",
  "id": "GHSA-92rx-j4vp-fpr7",
  "modified": "2025-09-29T21:30:26Z",
  "published": "2025-09-29T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35033"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-272-01.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-35033"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9323-PHPC-VQQM

Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-05-24 17:49
VLAI
Details

IBM Spectrum Scale 5.0.0 through 5.0.5.6 and 5.1.0 through 5.1.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 199403.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-29667"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-27T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Spectrum Scale 5.0.0 through 5.0.5.6 and 5.1.0 through 5.1.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 199403.",
  "id": "GHSA-9323-phpc-vqqm",
  "modified": "2022-05-24T17:49:00Z",
  "published": "2022-05-24T17:49:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29667"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/199403"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6447107"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9435-V4GJ-93WQ

Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 15:30
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in Nakashima Masahiro WP CSV Exporter.This issue affects WP CSV Exporter: from n/a through 2.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38702"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T18:15:07Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Nakashima Masahiro WP CSV Exporter.This issue affects WP CSV Exporter: from n/a through 2.0.",
  "id": "GHSA-9435-v4gj-93wq",
  "modified": "2026-04-28T15:30:35Z",
  "published": "2023-11-07T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38702"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/wp-csv-exporter/vulnerability/wordpress-wp-csv-exporter-plugin-1-3-6-authenticated-csv-injection-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/wp-csv-exporter/wordpress-wp-csv-exporter-plugin-1-3-6-authenticated-csv-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-95G8-Q8MM-VPRP

Vulnerability from github – Published: 2025-10-24 15:31 – Updated: 2025-10-24 15:31
VLAI
Details

The AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.6.5. This is due to insufficient sanitization in the 'newcodebyte_chatbot_export_messages' function. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11576"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-24T13:15:46Z",
    "severity": "MODERATE"
  },
  "details": "The AI Chatbot Free Models \u2013 Customer Support, Live Chat, Virtual Assistant plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.6.5. This is due to insufficient sanitization in the \u0027newcodebyte_chatbot_export_messages\u0027 function. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.",
  "id": "GHSA-95g8-q8mm-vprp",
  "modified": "2025-10-24T15:31:25Z",
  "published": "2025-10-24T15:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11576"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3378450"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5064873b-e70a-4fe6-8c5c-ced6025aaa5f?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-978X-C366-R634

Vulnerability from github – Published: 2023-11-15 21:35 – Updated: 2026-04-28 15:30
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in Muneeb Form Builder | Create Responsive Contact Forms.This issue affects Form Builder | Create Responsive Contact Forms: from n/a through 1.9.9.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-23796"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T16:15:28Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Muneeb Form Builder | Create Responsive Contact Forms.This issue affects Form Builder | Create Responsive Contact Forms: from n/a through 1.9.9.0.",
  "id": "GHSA-978x-c366-r634",
  "modified": "2026-04-28T15:30:34Z",
  "published": "2023-11-15T21:35:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23796"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/contact-form-add/vulnerability/wordpress-form-builder-create-responsive-contact-forms-plugin-1-9-9-0-csv-injection-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/contact-form-add/wordpress-form-builder-create-responsive-contact-forms-plugin-1-9-9-0-csv-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-99WC-G6XM-MV9H

Vulnerability from github – Published: 2022-05-24 16:47 – Updated: 2024-04-04 00:53
VLAI
Details

CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in Workday through 32 via a value (provided by a low-privileged user in a contact form field) that is mishandled in a CSV export.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-12134"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-06T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in Workday through 32 via a value (provided by a low-privileged user in a contact form field) that is mishandled in a CSV export.",
  "id": "GHSA-99wc-g6xm-mv9h",
  "modified": "2024-04-04T00:53:23Z",
  "published": "2022-05-24T16:47:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12134"
    },
    {
      "type": "WEB",
      "url": "https://sinfosec757.blogspot.com/2019/06/exploit-title-workday-32-csv-injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9F4G-RC6F-W7XQ

Vulnerability from github – Published: 2022-03-31 00:00 – Updated: 2022-04-05 00:00
VLAI
Details

RuoYi v4.7.2 contains a CSV injection vulnerability through ruoyi-admin when a victim opens .xlsx log file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-23868"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-30T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "RuoYi v4.7.2 contains a CSV injection vulnerability through ruoyi-admin when a victim opens .xlsx log file.",
  "id": "GHSA-9f4g-rc6f-w7xq",
  "modified": "2022-04-05T00:00:36Z",
  "published": "2022-03-31T00:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23868"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/y_project/RuoYi/issues/I4RBBD"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9FCG-95MC-3XHM

Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 15:30
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in Jackmail & Sarbacane Emails & Newsletters with Jackmail.This issue affects Emails & Newsletters with Jackmail: from n/a through 1.2.22.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46821"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T17:15:09Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Jackmail \u0026 Sarbacane Emails \u0026 Newsletters with Jackmail.This issue affects Emails \u0026 Newsletters with Jackmail: from n/a through 1.2.22.",
  "id": "GHSA-9fcg-95mc-3xhm",
  "modified": "2026-04-28T15:30:35Z",
  "published": "2023-11-07T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46821"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/jackmail-newsletters/vulnerability/wordpress-emails-newsletters-with-jackmail-plugin-1-2-22-csv-injection?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/jackmail-newsletters/wordpress-emails-newsletters-with-jackmail-plugin-1-2-22-csv-injection?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9FMP-6M55-MF4P

Vulnerability from github – Published: 2022-04-20 00:00 – Updated: 2022-04-28 00:00
VLAI
Details

Invicti Acunetix before 14 allows CSV injection via the Description field on the Add Targets page, if the Export CSV feature is used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-19T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Invicti Acunetix before 14 allows CSV injection via the Description field on the Add Targets page, if the Export CSV feature is used.",
  "id": "GHSA-9fmp-6m55-mf4p",
  "modified": "2022-04-28T00:00:43Z",
  "published": "2022-04-20T00:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29315"
    },
    {
      "type": "WEB",
      "url": "https://the-it-wonders.blogspot.com/2022/04/csv-injection-in-acunetix-version.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.