CWE-1236
AllowedImproper Neutralization of Formula Elements in a CSV File
Abstraction: Base · Status: Incomplete
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
401 vulnerabilities reference this CWE, most recent first.
GHSA-F8XQ-Q7PX-WG8C
Vulnerability from github – Published: 2022-03-18 23:11 – Updated: 2022-03-18 23:11Impact
The gradio library has a flagging functionality which saves input/output data into a CSV file on the developer's computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS Excel opens such a file, then it automatically runs these commands, which could lead to arbitrary commands running on the user's computer.
Patches
The problem has been patched as of 2.8.11, which escapes the data saved to the csv with single quotes.
Workarounds
If you are using an older version of gradio, don't open csv files generated by gradio with Excel or similar spreadsheet programs.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "gradio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24770"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-18T23:11:43Z",
"nvd_published_at": "2022-03-17T21:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nThe `gradio` library has a flagging functionality which saves input/output data into a CSV file on the developer\u0027s computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS Excel opens such a file, then it automatically runs these commands, which could lead to arbitrary commands running on the user\u0027s computer.\n\n### Patches\nThe problem has been patched as of `2.8.11`, which escapes the data saved to the csv with single quotes.\n\n### Workarounds\nIf you are using an older version of `gradio`, don\u0027t open csv files generated by `gradio` with Excel or similar spreadsheet programs.\n\n",
"id": "GHSA-f8xq-q7px-wg8c",
"modified": "2022-03-18T23:11:43Z",
"published": "2022-03-18T23:11:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-f8xq-q7px-wg8c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24770"
},
{
"type": "WEB",
"url": "https://github.com/gradio-app/gradio/pull/817"
},
{
"type": "WEB",
"url": "https://github.com/gradio-app/gradio/commit/80fea89117358ee105973453fdc402398ae20239"
},
{
"type": "PACKAGE",
"url": "https://github.com/gradio-app/gradio"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2022-229.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Neutralization of Formula Elements in a CSV File in Gradio Flagging"
}
GHSA-F9P3-H6CG-2CJR
Vulnerability from github – Published: 2022-05-03 00:00 – Updated: 2022-05-26 19:49Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "luyadev/yii-helpers"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-1544"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-04T03:01:04Z",
"nvd_published_at": "2022-05-01T12:15:00Z",
"severity": "HIGH"
},
"details": "Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.",
"id": "GHSA-f9p3-h6cg-2cjr",
"modified": "2022-05-26T19:49:49Z",
"published": "2022-05-03T00:00:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1544"
},
{
"type": "WEB",
"url": "https://github.com/luyadev/yii-helpers/commit/9956ed63f516110c2b588471507b870e748c4cfb"
},
{
"type": "PACKAGE",
"url": "https://github.com/luyadev/yii-helpers"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/fa6d6e75-bc7a-40f6-9bdd-2541318912d4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper neutralization of formula elements in yii-helpers"
}
GHSA-FC79-4QGW-WXFF
Vulnerability from github – Published: 2026-07-13 12:34 – Updated: 2026-07-13 12:34In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the ‘Alias’ parameter in the ‘Update your address’ function. This flaw allows an attacker to inject malicious expressions that are executed when the information is exported using the ‘Get my data in CSV’ tool. Successful exploitation of this vulnerability could facilitate unauthorised access to the victim’s personal data.
{
"affected": [],
"aliases": [
"CVE-2026-14846"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-13T10:16:26Z",
"severity": "MODERATE"
},
"details": "In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the \u2018Alias\u2019 parameter in the \u2018Update your address\u2019 function. This flaw allows an attacker to inject malicious expressions that are executed when the information is exported using the \u2018Get my data in CSV\u2019 tool. Successful exploitation of this vulnerability could facilitate unauthorised access to the victim\u2019s personal data.",
"id": "GHSA-fc79-4qgw-wxff",
"modified": "2026-07-13T12:34:58Z",
"published": "2026-07-13T12:34:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14846"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-neutralisation-prestashop-firmware"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FGPW-H2J4-3V24
Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 21:33Improper Neutralization of Formula Elements in a CSV File vulnerability in Solwin Infotech User Blocker.This issue affects User Blocker: from n/a through 1.5.5.
{
"affected": [],
"aliases": [
"CVE-2022-45078"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T17:15:07Z",
"severity": "HIGH"
},
"details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Solwin Infotech User Blocker.This issue affects User Blocker: from n/a through 1.5.5.",
"id": "GHSA-fgpw-h2j4-3v24",
"modified": "2026-04-28T21:33:02Z",
"published": "2023-11-07T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45078"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/user-blocker/wordpress-user-blocker-plugin-1-5-5-auth-csv-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FH47-7RX2-5CFR
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19The Export Users to CSV plugin through 1.1.1 for WordPress allows CSV injection.
{
"affected": [],
"aliases": [
"CVE-2018-15571"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-28T17:29:00Z",
"severity": "HIGH"
},
"details": "The Export Users to CSV plugin through 1.1.1 for WordPress allows CSV injection.",
"id": "GHSA-fh47-7rx2-5cfr",
"modified": "2022-05-13T01:19:10Z",
"published": "2022-05-13T01:19:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15571"
},
{
"type": "WEB",
"url": "https://hackpuntes.com/cve-2018-15571-wordpress-plugin-export-users-to-csv-1-1-1-csv-injection"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45206"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FMJC-6X9Q-54MF
Vulnerability from github – Published: 2025-11-18 12:30 – Updated: 2025-11-18 12:30The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration
{
"affected": [],
"aliases": [
"CVE-2025-13133"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-18T10:15:49Z",
"severity": "MODERATE"
},
"details": "The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the \u0027Import/export users\u0027 function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration",
"id": "GHSA-fmjc-6x9q-54mf",
"modified": "2025-11-18T12:30:18Z",
"published": "2025-11-18T12:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13133"
},
{
"type": "WEB",
"url": "https://it.wordpress.org/plugins/a3-user-importer"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/39ec49b4-f0f3-4ec7-b11b-ce808c025577?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-FPX6-QJ6W-4M83
Vulnerability from github – Published: 2024-01-16 18:31 – Updated: 2025-06-11 18:35The Contact Form Entries WordPress plugin before 1.3.0 does not validate data when its output in a CSV file, which could lead to CSV injection.
{
"affected": [],
"aliases": [
"CVE-2022-3604"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-16T16:15:09Z",
"severity": "HIGH"
},
"details": "The Contact Form Entries WordPress plugin before 1.3.0 does not validate data when its output in a CSV file, which could lead to CSV injection.",
"id": "GHSA-fpx6-qj6w-4m83",
"modified": "2025-06-11T18:35:38Z",
"published": "2024-01-16T18:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3604"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/300ebfcd-c500-464e-b919-acfeb72593de"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FQMJ-V992-7VW6
Vulnerability from github – Published: 2025-08-29 03:30 – Updated: 2025-08-29 03:30There is a CSV Injection Vulnerability in some HikCentral Master Lite versions. This could allow an attacker to inject executable commands via malicious CSV data.
{
"affected": [],
"aliases": [
"CVE-2025-39245"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-29T03:15:38Z",
"severity": "MODERATE"
},
"details": "There is a CSV Injection Vulnerability in some HikCentral Master Lite versions. This could allow an attacker to inject executable commands via malicious CSV data.",
"id": "GHSA-fqmj-v992-7vw6",
"modified": "2025-08-29T03:30:51Z",
"published": "2025-08-29T03:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39245"
},
{
"type": "WEB",
"url": "https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-some-hikcentral-products"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-FVQ4-C84W-Q2RX
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2026-07-05 03:30OpenAsset Digital Asset Management (DAM) 12.0.19 and earlier failed to implement access controls on /Stream/ProjectsCSV endpoint, allowing unauthenticated attackers to gain access to potentially sensitive project information stored by the application.
{
"affected": [],
"aliases": [
"CVE-2020-28861"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-14T20:15:00Z",
"severity": "MODERATE"
},
"details": "OpenAsset Digital Asset Management (DAM) 12.0.19 and earlier failed to implement access controls on /Stream/ProjectsCSV endpoint, allowing unauthenticated attackers to gain access to potentially sensitive project information stored by the application.",
"id": "GHSA-fvq4-c84w-q2rx",
"modified": "2026-07-05T03:30:39Z",
"published": "2022-05-24T17:36:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28861"
},
{
"type": "WEB",
"url": "https://www.themissinglink.com.au/security-advisories-cve-2020-28861"
},
{
"type": "WEB",
"url": "http://openasset.com"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/160457/OpenAsset-Digital-Asset-Management-Insecure-Direct-Object-Reference.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/Dec/22"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FWF6-RW69-HHJ4
Vulnerability from github – Published: 2021-11-30 22:22 – Updated: 2024-09-20 21:51This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via CSV files.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "html-to-csv"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23654"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-29T20:28:01Z",
"nvd_published_at": "2021-11-26T20:15:00Z",
"severity": "MODERATE"
},
"details": "This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via CSV files.",
"id": "GHSA-fwf6-rw69-hhj4",
"modified": "2024-09-20T21:51:03Z",
"published": "2021-11-30T22:22:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23654"
},
{
"type": "WEB",
"url": "https://github.com/hanwentao/html2csv/issues/9"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-fwf6-rw69-hhj4"
},
{
"type": "PACKAGE",
"url": "https://github.com/hanwentao/html2csv"
},
{
"type": "WEB",
"url": "https://github.com/hanwentao/html2csv/blob/master/html2csv/converter.py"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/html-to-csv/PYSEC-2021-866.yaml"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-PYTHON-HTMLTOCSV-1582784"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Improper Neutralization of Formula Elements in a CSV File in html-2-csv"
}
Mitigation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No CAPEC attack patterns related to this CWE.