CWE-1236
AllowedImproper Neutralization of Formula Elements in a CSV File
Abstraction: Base · Status: Incomplete
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
401 vulnerabilities reference this CWE, most recent first.
GHSA-9G94-VWQG-P7WX
Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2024-04-04 01:54A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands via their survey responses that will be included in the export CSV file.
{
"affected": [],
"aliases": [
"CVE-2019-16184"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-09T21:15:00Z",
"severity": "CRITICAL"
},
"details": "A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands via their survey responses that will be included in the export CSV file.",
"id": "GHSA-9g94-vwqg-p7wx",
"modified": "2024-04-04T01:54:24Z",
"published": "2022-05-24T16:55:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16184"
},
{
"type": "WEB",
"url": "https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R46"
},
{
"type": "WEB",
"url": "https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9HX5-JMXV-X44Q
Vulnerability from github – Published: 2022-06-18 00:00 – Updated: 2022-07-05 22:17Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "inventree"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-2112"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-05T22:17:16Z",
"nvd_published_at": "2022-06-17T13:15:00Z",
"severity": "HIGH"
},
"details": "Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2.",
"id": "GHSA-9hx5-jmxv-x44q",
"modified": "2022-07-05T22:17:16Z",
"published": "2022-06-18T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2112"
},
{
"type": "WEB",
"url": "https://github.com/inventree/inventree/commit/26bf51c20a1c9b3130ac5dd2e17649bece5ff84f"
},
{
"type": "PACKAGE",
"url": "https://github.com/inventree/InvenTree"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/e57c36e7-fa39-435f-944a-3a52ee066f73"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "CSV Injection in inventree"
}
GHSA-9M9G-8648-6JWX
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33An Excel Macro Injection vulnerability exists in the export feature in the B. Braun OnlineSuite Version AP 3.0 and earlier via multiple input fields that are mishandled in an Excel export.
{
"affected": [],
"aliases": [
"CVE-2020-25170"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-06T17:15:00Z",
"severity": "HIGH"
},
"details": "An Excel Macro Injection vulnerability exists in the export feature in the B. Braun OnlineSuite Version AP 3.0 and earlier via multiple input fields that are mishandled in an Excel export.",
"id": "GHSA-9m9g-8648-6jwx",
"modified": "2022-05-24T17:33:18Z",
"published": "2022-05-24T17:33:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25170"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9P49-M9CM-86GP
Vulnerability from github – Published: 2023-11-15 21:35 – Updated: 2026-04-28 15:30Improper Neutralization of Formula Elements in a CSV File vulnerability in WPEkaClub WP Cookie Consent ( for GDPR, CCPA & ePrivacy ).This issue affects WP Cookie Consent ( for GDPR, CCPA & ePrivacy ): from n/a through 2.2.5.
{
"affected": [],
"aliases": [
"CVE-2023-23678"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T16:15:28Z",
"severity": "HIGH"
},
"details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in WPEkaClub WP Cookie Consent ( for GDPR, CCPA \u0026 ePrivacy ).This issue affects WP Cookie Consent ( for GDPR, CCPA \u0026 ePrivacy ): from n/a through 2.2.5.",
"id": "GHSA-9p49-m9cm-86gp",
"modified": "2026-04-28T15:30:34Z",
"published": "2023-11-15T21:35:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23678"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/gdpr-cookie-consent/vulnerability/wordpress-wp-cookie-notice-for-gdpr-ccpa-eprivacy-consent-plugin-2-2-5-csv-injection-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/gdpr-cookie-consent/wordpress-wp-cookie-notice-for-gdpr-ccpa-eprivacy-consent-plugin-2-2-5-csv-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9QPP-C5WX-J99G
Vulnerability from github – Published: 2025-01-24 00:31 – Updated: 2025-01-28 18:31KWHotel 0.47 is vulnerable to CSV Formula Injection in the invoice adding function.
{
"affected": [],
"aliases": [
"CVE-2023-46401"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-23T22:15:12Z",
"severity": "HIGH"
},
"details": "KWHotel 0.47 is vulnerable to CSV Formula Injection in the invoice adding function.",
"id": "GHSA-9qpp-c5wx-j99g",
"modified": "2025-01-28T18:31:25Z",
"published": "2025-01-24T00:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46401"
},
{
"type": "WEB",
"url": "https://gist.github.com/6en6ar/5d39374d6ced8acbe489e0b1b932d056"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C2PM-8Q3X-VJGF
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18The plugin "WordPress Comments Import & Export" for WordPress (v2.0.4 and before) is vulnerable to CSV Injection.
{
"affected": [],
"aliases": [
"CVE-2018-11526"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-19T19:29:00Z",
"severity": "HIGH"
},
"details": "The plugin \"WordPress Comments Import \u0026 Export\" for WordPress (v2.0.4 and before) is vulnerable to CSV Injection.",
"id": "GHSA-c2pm-8q3x-vjgf",
"modified": "2022-05-13T01:18:56Z",
"published": "2022-05-13T01:18:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11526"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/comments-import-export-woocommerce/#developers"
},
{
"type": "WEB",
"url": "https://wpvulndb.com/vulnerabilities/9097"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44940"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C52J-MFVX-X96X
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41There has a CSV injection vulnerability in ManageOne 8.0.1. An attacker with common privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to the target device.
{
"affected": [],
"aliases": [
"CVE-2020-9205"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-06T02:15:00Z",
"severity": "MODERATE"
},
"details": "There has a CSV injection vulnerability in ManageOne 8.0.1. An attacker with common privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to the target device.",
"id": "GHSA-c52j-mfvx-x96x",
"modified": "2022-05-24T17:41:13Z",
"published": "2022-05-24T17:41:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9205"
},
{
"type": "WEB",
"url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210127-01-csvinjection-en"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-C5XG-PGX2-GMRF
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07The Sign-up Sheets WordPress plugin before 1.0.14 does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue
{
"affected": [],
"aliases": [
"CVE-2021-24441"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-12T20:15:00Z",
"severity": "HIGH"
},
"details": "The Sign-up Sheets WordPress plugin before 1.0.14 does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue",
"id": "GHSA-c5xg-pgx2-gmrf",
"modified": "2022-05-24T19:07:26Z",
"published": "2022-05-24T19:07:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24441"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/ec9292b1-5cbd-4332-bdb6-2351c94f5ac6"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-C635-VV82-XM6H
Vulnerability from github – Published: 2022-05-24 17:11 – Updated: 2022-05-24 17:11Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature.
{
"affected": [],
"aliases": [
"CVE-2020-9347"
],
"database_specific": {
"cwe_ids": [
"CWE-1236",
"CWE-74"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-16T22:15:00Z",
"severity": "HIGH"
},
"details": "Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature.",
"id": "GHSA-c635-vv82-xm6h",
"modified": "2022-05-24T17:11:45Z",
"published": "2022-05-24T17:11:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9347"
},
{
"type": "WEB",
"url": "https://www.infigo.hr/upload/web_struktura/Zoho_ManageEngine_Password_Manager_Pro_10.x_CSV_Excel_Macro_Injection.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C759-J56J-J6V3
Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2022-07-30 00:00The Request a Quote WordPress plugin through 2.3.7 does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it
{
"affected": [],
"aliases": [
"CVE-2022-2240"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-25T13:15:00Z",
"severity": "HIGH"
},
"details": "The Request a Quote WordPress plugin through 2.3.7 does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it",
"id": "GHSA-c759-j56j-j6v3",
"modified": "2022-07-30T00:00:38Z",
"published": "2022-07-26T00:01:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2240"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/6a3a573e-f9f2-45ec-9156-332cc551fc7e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No CAPEC attack patterns related to this CWE.