Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-FX25-QH4F-8GHH

Vulnerability from github – Published: 2025-07-31 09:32 – Updated: 2025-07-31 09:32
VLAI
Details

Multiple versions of PowerCMS improperly neutralize formula elements in a CSV file. If a product user creates a malformed entry and a victim user downloads it as a CSV file and opens it in the user's environment, the embedded code may be executed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54752"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-31T08:15:25Z",
    "severity": "MODERATE"
  },
  "details": "Multiple versions of PowerCMS improperly neutralize formula elements in a CSV file.  If a product user creates a malformed entry and a victim user downloads it as a CSV file and opens it in the user\u0027s environment, the embedded code may be executed.",
  "id": "GHSA-fx25-qh4f-8ghh",
  "modified": "2025-07-31T09:32:49Z",
  "published": "2025-07-31T09:32:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54752"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU93412964"
    },
    {
      "type": "WEB",
      "url": "https://www.powercms.jp/news/release-powercms-671-531-461.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G26Q-PPP8-JJ4R

Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43
VLAI
Details

A CSV injection vulnerability found in Online Invoicing System (OIS) 4.3 and below can be exploited by users to perform malicious actions such as redirecting admins to unknown or harmful websites, or disclosing other clients' details that the user did not have access to.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27839"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-03T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A CSV injection vulnerability found in Online Invoicing System (OIS) 4.3 and below can be exploited by users to perform malicious actions such as redirecting admins to unknown or harmful websites, or disclosing other clients\u0027 details that the user did not have access to.",
  "id": "GHSA-g26q-ppp8-jj4r",
  "modified": "2022-05-24T17:43:36Z",
  "published": "2022-05-24T17:43:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27839"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bigprof-software/online-invoicing-system/releases/tag/4.4"
    },
    {
      "type": "WEB",
      "url": "https://www.jinsonvarghese.com/csv-injection-in-online-invoicing-system"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G27C-Q7CP-MHX6

Vulnerability from github – Published: 2026-05-28 06:31 – Updated: 2026-07-01 21:25
VLAI
Summary
json-2-csv vulnerable to CSV Injection via the preventCsvInjection optio
Details

Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "json-2-csv"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.15.0"
            },
            {
              "fixed": "5.5.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-9673"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-01T21:25:23Z",
    "nvd_published_at": "2026-05-28T06:16:29Z",
    "severity": "MODERATE"
  },
  "details": "Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.",
  "id": "GHSA-g27c-q7cp-mhx6",
  "modified": "2026-07-01T21:25:23Z",
  "published": "2026-05-28T06:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9673"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mrodrig/json-2-csv/commit/0fdd0bb6d0273178cd940afc323ccbce19688229"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/whoamins/299745a2d36b482b44e9613b78e40613"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mrodrig/json-2-csv"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mrodrig/json-2-csv/blob/main/src/json2csv.ts%23L410"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-JSON2CSV-14221326"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "json-2-csv vulnerable to CSV Injection via the preventCsvInjection optio"
}

GHSA-G2M8-F3X2-QPRW

Vulnerability from github – Published: 2024-09-12 15:33 – Updated: 2024-09-23 19:11
VLAI
Summary
Refuel Autolab Eval Injection vulnerability
Details

An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "refuel-autolabel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.8"
            },
            {
              "last_affected": "0.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-27320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236",
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-12T19:49:53Z",
    "nvd_published_at": "2024-09-12T13:15:11Z",
    "severity": "HIGH"
  },
  "details": "An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.",
  "id": "GHSA-g2m8-f3x2-qprw",
  "modified": "2024-09-23T19:11:59Z",
  "published": "2024-09-12T15:33:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27320"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/refuel-ai/autolabel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/refuel-ai/autolabel/blob/v0.0.16/src/autolabel/dataset/validation.py#L57-L79"
    },
    {
      "type": "WEB",
      "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-autolabel"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Refuel Autolab Eval Injection vulnerability"
}

GHSA-G2VC-GPM2-RP4W

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

CSV Injection exists in InterMind iMind Server through 3.13.65 via the csv export functionality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-25398"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-05T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "CSV Injection exists in InterMind iMind Server through 3.13.65 via the csv export functionality.",
  "id": "GHSA-g2vc-gpm2-rp4w",
  "modified": "2022-05-24T17:33:14Z",
  "published": "2022-05-24T17:33:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25398"
    },
    {
      "type": "WEB",
      "url": "https://github.com/h3llraiser/CVE-2020-25398"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G45P-2VH4-M46H

Vulnerability from github – Published: 2025-05-21 15:30 – Updated: 2025-05-21 15:30
VLAI
Details

Data provided in a request performed to the server while activating a new device are put in a database. Other high privileged users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC.

This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1421"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-21T13:16:02Z",
    "severity": "LOW"
  },
  "details": "Data provided in a request performed to the server while activating a new device are put in a database.\u00a0Other high privileged users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user\u0027s PC.\n\n\nThis issue has been fixed in\u00a02.17.5 version of\u00a0Konsola Proget (server part of the MDM suite).",
  "id": "GHSA-g45p-2vh4-m46h",
  "modified": "2025-05-21T15:30:33Z",
  "published": "2025-05-21T15:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1421"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2025/05/CVE-2025-1415"
    },
    {
      "type": "WEB",
      "url": "https://proget.pl/en/mobile-device-management"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G4V7-HFRX-HQF3

Vulnerability from github – Published: 2022-04-13 00:00 – Updated: 2022-04-20 00:00
VLAI
Details

The Visual Form Builder WordPress plugin before 3.0.6 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0142"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-12T12:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The Visual Form Builder WordPress plugin before 3.0.6 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.",
  "id": "GHSA-g4v7-hfrx-hqf3",
  "modified": "2022-04-20T00:00:50Z",
  "published": "2022-04-13T00:00:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0142"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/03210390-2054-40c0-9508-39d168087878"
    },
    {
      "type": "WEB",
      "url": "https://www.fortiguard.com/zeroday/FG-VD-21-080"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G5GR-7QPP-2P9M

Vulnerability from github – Published: 2023-11-15 15:30 – Updated: 2026-04-28 21:33
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in Pär Thernström Simple History – user activity log, audit tool.This issue affects Simple History – user activity log, audit tool: from n/a through 3.3.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-45350"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T15:15:09Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in P\u00e4r Thernstr\u00f6m Simple History \u2013 user activity log, audit tool.This issue affects Simple History \u2013 user activity log, audit tool: from n/a through 3.3.1.",
  "id": "GHSA-g5gr-7qpp-2p9m",
  "modified": "2026-04-28T21:33:01Z",
  "published": "2023-11-15T15:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45350"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/simple-history/vulnerability/wordpress-simple-history-plugin-3-3-1-csv-injection-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/simple-history/wordpress-simple-history-plugin-3-3-1-csv-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G5QW-HP88-696M

Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2022-11-04 19:01
VLAI
Details

"IBM InfoSphere Information Server 11.7 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 223598."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22425"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-03T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "\"IBM InfoSphere Information Server 11.7 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 223598.\"",
  "id": "GHSA-g5qw-hp88-696m",
  "modified": "2022-11-04T19:01:16Z",
  "published": "2022-11-04T12:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22425"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6829953"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6C2-GHR3-XMVW

Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37
VLAI
Details

There has a CSV injection vulnerability in iManager NetEco 6000 versions V600R021C00. An attacker with common privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to the target device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-9200"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-24T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "There has a CSV injection vulnerability in iManager NetEco 6000 versions V600R021C00. An attacker with common privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to the target device.",
  "id": "GHSA-g6c2-ghr3-xmvw",
  "modified": "2022-05-24T17:37:17Z",
  "published": "2022-05-24T17:37:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9200"
    },
    {
      "type": "WEB",
      "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20201209-01-csvinjection-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.