Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-F8XQ-Q7PX-WG8C

Vulnerability from github – Published: 2022-03-18 23:11 – Updated: 2022-03-18 23:11
VLAI
Summary
Improper Neutralization of Formula Elements in a CSV File in Gradio Flagging
Details

Impact

The gradio library has a flagging functionality which saves input/output data into a CSV file on the developer's computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS Excel opens such a file, then it automatically runs these commands, which could lead to arbitrary commands running on the user's computer.

Patches

The problem has been patched as of 2.8.11, which escapes the data saved to the csv with single quotes.

Workarounds

If you are using an older version of gradio, don't open csv files generated by gradio with Excel or similar spreadsheet programs.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "gradio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-18T23:11:43Z",
    "nvd_published_at": "2022-03-17T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe `gradio` library has a flagging functionality which saves input/output data into a CSV file on the developer\u0027s computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS Excel opens such a file, then it automatically runs these commands, which could lead to arbitrary commands running on the user\u0027s computer.\n\n### Patches\nThe problem has been patched as of `2.8.11`, which escapes the data saved to the csv with single quotes.\n\n### Workarounds\nIf you are using an older version of `gradio`, don\u0027t open csv files generated by `gradio` with Excel or similar spreadsheet programs.\n\n",
  "id": "GHSA-f8xq-q7px-wg8c",
  "modified": "2022-03-18T23:11:43Z",
  "published": "2022-03-18T23:11:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-f8xq-q7px-wg8c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24770"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/pull/817"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/commit/80fea89117358ee105973453fdc402398ae20239"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gradio-app/gradio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2022-229.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Neutralization of Formula Elements in a CSV File in Gradio Flagging"
}

GHSA-F9P3-H6CG-2CJR

Vulnerability from github – Published: 2022-05-03 00:00 – Updated: 2022-05-26 19:49
VLAI
Summary
Improper neutralization of formula elements in yii-helpers
Details

Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "luyadev/yii-helpers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-1544"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-04T03:01:04Z",
    "nvd_published_at": "2022-05-01T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.",
  "id": "GHSA-f9p3-h6cg-2cjr",
  "modified": "2022-05-26T19:49:49Z",
  "published": "2022-05-03T00:00:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1544"
    },
    {
      "type": "WEB",
      "url": "https://github.com/luyadev/yii-helpers/commit/9956ed63f516110c2b588471507b870e748c4cfb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/luyadev/yii-helpers"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/fa6d6e75-bc7a-40f6-9bdd-2541318912d4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper neutralization of formula elements in yii-helpers"
}

GHSA-FC79-4QGW-WXFF

Vulnerability from github – Published: 2026-07-13 12:34 – Updated: 2026-07-13 12:34
VLAI
Details

In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the ‘Alias’ parameter in the ‘Update your address’ function. This flaw allows an attacker to inject malicious expressions that are executed when the information is exported using the ‘Get my data in CSV’ tool. Successful exploitation of this vulnerability could facilitate unauthorised access to the victim’s personal data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-14846"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-13T10:16:26Z",
    "severity": "MODERATE"
  },
  "details": "In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the \u2018Alias\u2019 parameter in the \u2018Update your address\u2019 function. This flaw allows an attacker to inject malicious expressions that are executed when the information is exported using the \u2018Get my data in CSV\u2019 tool. Successful exploitation of this vulnerability could facilitate unauthorised access to the victim\u2019s personal data.",
  "id": "GHSA-fc79-4qgw-wxff",
  "modified": "2026-07-13T12:34:58Z",
  "published": "2026-07-13T12:34:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14846"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-neutralisation-prestashop-firmware"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FGPW-H2J4-3V24

Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 21:33
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in Solwin Infotech User Blocker.This issue affects User Blocker: from n/a through 1.5.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-45078"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T17:15:07Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Solwin Infotech User Blocker.This issue affects User Blocker: from n/a through 1.5.5.",
  "id": "GHSA-fgpw-h2j4-3v24",
  "modified": "2026-04-28T21:33:02Z",
  "published": "2023-11-07T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45078"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/user-blocker/wordpress-user-blocker-plugin-1-5-5-auth-csv-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FH47-7RX2-5CFR

Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19
VLAI
Details

The Export Users to CSV plugin through 1.1.1 for WordPress allows CSV injection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15571"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-28T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "The Export Users to CSV plugin through 1.1.1 for WordPress allows CSV injection.",
  "id": "GHSA-fh47-7rx2-5cfr",
  "modified": "2022-05-13T01:19:10Z",
  "published": "2022-05-13T01:19:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15571"
    },
    {
      "type": "WEB",
      "url": "https://hackpuntes.com/cve-2018-15571-wordpress-plugin-export-users-to-csv-1-1-1-csv-injection"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/45206"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FMJC-6X9Q-54MF

Vulnerability from github – Published: 2025-11-18 12:30 – Updated: 2025-11-18 12:30
VLAI
Details

The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13133"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-18T10:15:49Z",
    "severity": "MODERATE"
  },
  "details": "The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the \u0027Import/export users\u0027 function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration",
  "id": "GHSA-fmjc-6x9q-54mf",
  "modified": "2025-11-18T12:30:18Z",
  "published": "2025-11-18T12:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13133"
    },
    {
      "type": "WEB",
      "url": "https://it.wordpress.org/plugins/a3-user-importer"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/39ec49b4-f0f3-4ec7-b11b-ce808c025577?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FPX6-QJ6W-4M83

Vulnerability from github – Published: 2024-01-16 18:31 – Updated: 2025-06-11 18:35
VLAI
Details

The Contact Form Entries WordPress plugin before 1.3.0 does not validate data when its output in a CSV file, which could lead to CSV injection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3604"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-16T16:15:09Z",
    "severity": "HIGH"
  },
  "details": "The Contact Form Entries WordPress plugin before 1.3.0 does not validate data when its output in a CSV file, which could lead to CSV injection.",
  "id": "GHSA-fpx6-qj6w-4m83",
  "modified": "2025-06-11T18:35:38Z",
  "published": "2024-01-16T18:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3604"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/300ebfcd-c500-464e-b919-acfeb72593de"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQMJ-V992-7VW6

Vulnerability from github – Published: 2025-08-29 03:30 – Updated: 2025-08-29 03:30
VLAI
Details

There is a CSV Injection Vulnerability in some HikCentral Master Lite versions. This could allow an attacker to inject executable commands via malicious CSV data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39245"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-29T03:15:38Z",
    "severity": "MODERATE"
  },
  "details": "There is a CSV Injection Vulnerability in some HikCentral Master Lite versions. This could allow an attacker to inject executable commands via malicious CSV data.",
  "id": "GHSA-fqmj-v992-7vw6",
  "modified": "2025-08-29T03:30:51Z",
  "published": "2025-08-29T03:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39245"
    },
    {
      "type": "WEB",
      "url": "https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-some-hikcentral-products"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FVQ4-C84W-Q2RX

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2026-07-05 03:30
VLAI
Details

OpenAsset Digital Asset Management (DAM) 12.0.19 and earlier failed to implement access controls on /Stream/ProjectsCSV endpoint, allowing unauthenticated attackers to gain access to potentially sensitive project information stored by the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-28861"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-14T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "OpenAsset Digital Asset Management (DAM) 12.0.19 and earlier failed to implement access controls on /Stream/ProjectsCSV endpoint, allowing unauthenticated attackers to gain access to potentially sensitive project information stored by the application.",
  "id": "GHSA-fvq4-c84w-q2rx",
  "modified": "2026-07-05T03:30:39Z",
  "published": "2022-05-24T17:36:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28861"
    },
    {
      "type": "WEB",
      "url": "https://www.themissinglink.com.au/security-advisories-cve-2020-28861"
    },
    {
      "type": "WEB",
      "url": "http://openasset.com"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/160457/OpenAsset-Digital-Asset-Management-Insecure-Direct-Object-Reference.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2020/Dec/22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FWF6-RW69-HHJ4

Vulnerability from github – Published: 2021-11-30 22:22 – Updated: 2024-09-20 21:51
VLAI
Summary
Improper Neutralization of Formula Elements in a CSV File in html-2-csv
Details

This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via CSV files.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "html-to-csv"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23654"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-29T20:28:01Z",
    "nvd_published_at": "2021-11-26T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via CSV files.",
  "id": "GHSA-fwf6-rw69-hhj4",
  "modified": "2024-09-20T21:51:03Z",
  "published": "2021-11-30T22:22:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23654"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hanwentao/html2csv/issues/9"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-fwf6-rw69-hhj4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hanwentao/html2csv"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hanwentao/html2csv/blob/master/html2csv/converter.py"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/html-to-csv/PYSEC-2021-866.yaml"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-PYTHON-HTMLTOCSV-1582784"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Improper Neutralization of Formula Elements in a CSV File in html-2-csv"
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.