Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-G73P-89XV-8Q58

Vulnerability from github – Published: 2025-02-20 21:30 – Updated: 2025-11-04 21:31
VLAI
Details

PHPJabbers Meeting Room Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-51336"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-20T19:15:11Z",
    "severity": "HIGH"
  },
  "details": "PHPJabbers Meeting Room Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.",
  "id": "GHSA-g73p-89xv-8q58",
  "modified": "2025-11-04T21:31:31Z",
  "published": "2025-02-20T21:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51336"
    },
    {
      "type": "WEB",
      "url": "https://packetstorm.news/files/id/176518"
    },
    {
      "type": "WEB",
      "url": "https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/176518/PHPJabbers-Meeting-Room-Booking-System-1.0-CSV-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G9CR-RHQJ-PPF4

Vulnerability from github – Published: 2022-11-18 00:30 – Updated: 2022-11-18 21:30
VLAI
Details

Auth. CSV Injection vulnerability in Export Users With Meta plugin <= 0.6.8 on WordPress.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-44577"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-17T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "Auth. CSV Injection vulnerability in Export Users With Meta plugin \u003c= 0.6.8 on WordPress.",
  "id": "GHSA-g9cr-rhqj-ppf4",
  "modified": "2022-11-18T21:30:17Z",
  "published": "2022-11-18T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44577"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/user-export-with-their-meta-data/wordpress-export-users-with-meta-plugin-0-6-8-auth-csv-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GCP2-R7P4-R5P4

Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-10-24 19:00
VLAI
Details

Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-24144"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236",
      "CWE-74"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-18T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files.",
  "id": "GHSA-gcp2-r7p4-r5p4",
  "modified": "2022-10-24T19:00:17Z",
  "published": "2022-05-24T17:44:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24144"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/143cdaff-c536-4ff9-8d64-c617511ddd48"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GG36-2FJ2-24H8

Vulnerability from github – Published: 2022-11-28 15:30 – Updated: 2022-11-30 15:30
VLAI
Details

The Export customers list csv for WooCommerce, WordPress users csv, export Guest customer list WordPress plugin before 2.0.69 does not validate data when outputting it back in a CSV file, which could lead to CSV injection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3603"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-28T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The Export customers list csv for WooCommerce, WordPress users csv, export Guest customer list WordPress plugin before 2.0.69 does not validate data when outputting it back in a CSV file, which could lead to CSV injection.",
  "id": "GHSA-gg36-2fj2-24h8",
  "modified": "2022-11-30T15:30:27Z",
  "published": "2022-11-28T15:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3603"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/376e2bc7-2eb9-4e0a-809c-1582940ebdc7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GPJF-V934-73G5

Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 21:33
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in wpWax Directorist – WordPress Business Directory Plugin with Classified Ads Listing.This issue affects Directorist – WordPress Business Directory Plugin with Classified Ads Listings: from n/a through 7.7.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T18:15:08Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in wpWax Directorist \u2013 WordPress Business Directory Plugin with Classified Ads Listing.This issue affects Directorist \u2013 WordPress Business Directory Plugin with Classified Ads Listings: from n/a through 7.7.1.",
  "id": "GHSA-gpjf-v934-73g5",
  "modified": "2026-04-28T21:33:03Z",
  "published": "2023-11-07T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41798"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/directorist/vulnerability/wordpress-directorist-plugin-7-7-0-csv-injection?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/directorist/wordpress-directorist-plugin-7-7-0-csv-injection?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GPMW-2PFX-6XXM

Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2022-12-09 18:30
VLAI
Details

IBM Tivoli Storage Productivity Center (IBM Spectrum Control Standard Edition 5.2.1 through 5.2.17) could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 157063.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-4071"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-09T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Tivoli Storage Productivity Center (IBM Spectrum Control Standard Edition 5.2.1 through 5.2.17) could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 157063.",
  "id": "GHSA-gpmw-2pfx-6xxm",
  "modified": "2022-12-09T18:30:30Z",
  "published": "2022-05-24T16:45:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4071"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/157063"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=ibm10872900"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GX42-FGWV-G9JJ

Vulnerability from github – Published: 2025-08-13 15:30 – Updated: 2025-08-13 21:30
VLAI
Details

CycloneDX Sunshine v0.9 is vulnerable to CSV Formula Injection via a crafted JSON file

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-52386"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-13T14:15:31Z",
    "severity": "MODERATE"
  },
  "details": "CycloneDX Sunshine v0.9 is vulnerable to CSV Formula Injection via a crafted JSON file",
  "id": "GHSA-gx42-fgwv-g9jj",
  "modified": "2025-08-13T21:30:27Z",
  "published": "2025-08-13T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52386"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CycloneDX/Sunshine"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VishalSreenivas/Formula-Injection-in-CycloneDX-Sunshine/blob/main/CVE-2025-52386.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VishalSreenivas/Formula-Injection-in-CycloneDX-Sunshine/blob/main/payload.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H2PH-WHQX-FCCC

Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-04-04 00:06
VLAI
Details

SEP (Mac client) prior to and including 12.1 RU6 MP9 and prior to 14.2 RU1 may be susceptible to a CSV/DDE injection (also known as formula injection) vulnerability, which is a type of issue whereby an application or website allows untrusted input into CSV files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-12244"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-25T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "SEP (Mac client) prior to and including 12.1 RU6 MP9 and prior to 14.2 RU1 may be susceptible to a CSV/DDE injection (also known as formula injection) vulnerability, which is a type of issue whereby an application or website allows untrusted input into CSV files.",
  "id": "GHSA-h2ph-whqx-fccc",
  "modified": "2024-04-04T00:06:38Z",
  "published": "2022-05-24T16:44:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12244"
    },
    {
      "type": "WEB",
      "url": "https://support.symantec.com/en_US/article.SYMSA1479.html"
    },
    {
      "type": "WEB",
      "url": "https://www.securityfocus.com/bid/107999"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H3V8-V9F6-FFJP

Vulnerability from github – Published: 2026-05-05 12:31 – Updated: 2026-05-05 12:31
VLAI
Details

ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Attackers can add malicious formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-54348"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-05T12:16:17Z",
    "severity": "HIGH"
  },
  "details": "ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Attackers can add malicious formulas like =10+20+cmd|\u0027 /C calc\u0027!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications.",
  "id": "GHSA-h3v8-v9f6-ffjp",
  "modified": "2026-05-05T12:31:38Z",
  "published": "2026-05-05T12:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54348"
    },
    {
      "type": "WEB",
      "url": "https://codecanyon.net/item/erpgo-saas-all-in-one-business-erp-with-project-account-hrm-crm-pos/33263426"
    },
    {
      "type": "WEB",
      "url": "https://rajodiya.com"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/51220"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/erpgo-saas-csv-injection-via-vendor-creation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-H5XJ-9P36-6CJC

Vulnerability from github – Published: 2022-03-26 00:00 – Updated: 2022-03-31 00:00
VLAI
Details

Survey King v0.3.0 does not filter data properly when exporting excel files, allowing attackers to execute arbitrary code or access sensitive information via a CSV injection attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26249"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-24T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Survey King v0.3.0 does not filter data properly when exporting excel files, allowing attackers to execute arbitrary code or access sensitive information via a CSV injection attack.",
  "id": "GHSA-h5xj-9p36-6cjc",
  "modified": "2022-03-31T00:00:35Z",
  "published": "2022-03-26T00:00:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26249"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/surveyking/surveyking/issues/I4V05A"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.