Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-H77M-QRJ7-JXCW

Vulnerability from github – Published: 2026-06-26 23:03 – Updated: 2026-06-26 23:03
VLAI
Summary
Statamic Vulnerable to CSV formula injection in form submission exports
Details

Impact

Form submission values were not neutralized for spreadsheet formula characters when exported to CSV. A submission containing a value beginning with a formula trigger character (e.g.  = ,  + ,  - ,  @ ) could be interpreted as a live formula when a Control Panel user opens the export in a spreadsheet application. Form submissions can come from unauthenticated front-end visitors, so the malicious value can be supplied by an anonymous user and is later triggered by an editor opening the export.

Exploitation affects the spreadsheet application used to open the export, not the Statamic application or server; the data at risk is the form submission data the exporting user is already authorized to view.

Patches

This has been fixed in 5.73.24 and 6.20.1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "statamic/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.20.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "statamic/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.73.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54243"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T23:03:56Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nForm submission values were not neutralized for spreadsheet formula characters when exported to CSV. A submission containing a value beginning with a formula trigger character (e.g. \u00a0=\u00a0, \u00a0+\u00a0, \u00a0-\u00a0, \u00a0@\u00a0) could be interpreted as a live formula when a Control Panel user opens the export in a spreadsheet application. Form submissions can come from unauthenticated front-end visitors, so the malicious value can be supplied by an anonymous user and is later triggered by an editor opening the export.\n\nExploitation affects the spreadsheet application used to open the export, not the Statamic application or server; the data at risk is the form submission data the exporting user is already authorized to view.\n\n\n### Patches\n\nThis has been fixed in 5.73.24 and 6.20.1.",
  "id": "GHSA-h77m-qrj7-jxcw",
  "modified": "2026-06-26T23:03:56Z",
  "published": "2026-06-26T23:03:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/statamic/cms/security/advisories/GHSA-h77m-qrj7-jxcw"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/statamic/cms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Statamic Vulnerable to CSV formula injection in form submission exports"
}

GHSA-H7VQ-5QGW-JWWQ

Vulnerability from github – Published: 2021-10-18 19:04 – Updated: 2021-10-18 19:11
VLAI
Summary
CSV Injection Vulnerability
Details

Impact

In some circumstances, it was possible to export data in CSV format that could trigger a payload in old versions of Excel.

If you are accepting user input from untrusted sources and will be exporting that data in CSV format from element index pages and there is a chance users will open that on old versions of Excel, then you should update.

Patches

This has been patched in Craft 3.7.14.

References

  • https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#3714---2021-09-28
  • https://twitter.com/craftcmsupdates/status/1442928690145366018

For more information

If you have any questions or comments about this advisory, email us at support@craftcms.com


Credits: BAE Systems AI Vulnerability Research Team – Azrul Ikhwan Zulkifli

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.4.0"
            },
            {
              "fixed": "3.7.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41824"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-15T17:36:16Z",
    "nvd_published_at": "2021-09-30T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nIn some circumstances, it was possible to export data in CSV format that could trigger a payload in old versions of Excel.\n\nIf you are accepting user input from untrusted sources and will be exporting that data in CSV format from element index pages and there is a chance users will open that on old versions of Excel, then you should update.\n\n### Patches\nThis has been patched in Craft 3.7.14.\n\n### References\n* https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#3714---2021-09-28\n* https://twitter.com/craftcmsupdates/status/1442928690145366018\n\n### For more information\n\nIf you have any questions or comments about this advisory, email us at support@craftcms.com\n\n----------\n\nCredits: BAE Systems AI Vulnerability Research Team \u2013 Azrul Ikhwan Zulkifli",
  "id": "GHSA-h7vq-5qgw-jwwq",
  "modified": "2021-10-18T19:11:00Z",
  "published": "2021-10-18T19:04:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-h7vq-5qgw-jwwq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41824"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/c9cb2225f1b908fb1e8401d401219228634b26b2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#3714---2021-09-28"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/craftcmsupdates/status/1442928690145366018"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CSV Injection Vulnerability"
}

GHSA-H8R6-3PJ7-GWFH

Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2026-02-24 18:30
VLAI
Details

SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to execute macros while opening the file and the security settings of Excel allow for command execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38180"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-12T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim\u0027s computer but only if the victim allows to execute macros while opening the file and the security settings of Excel allow for command execution.",
  "id": "GHSA-h8r6-3pj7-gwfh",
  "modified": "2026-02-24T18:30:55Z",
  "published": "2022-05-24T19:17:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38180"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3079427"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HF85-QCCF-2W3H

Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19
VLAI
Details

The admin backend in phpMyFAQ before 2.9.11 allows CSV injection in reports.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16651"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-07T05:29:00Z",
    "severity": "HIGH"
  },
  "details": "The admin backend in phpMyFAQ before 2.9.11 allows CSV injection in reports.",
  "id": "GHSA-hf85-qccf-2w3h",
  "modified": "2022-05-13T01:19:16Z",
  "published": "2022-05-13T01:19:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16651"
    },
    {
      "type": "WEB",
      "url": "https://www.phpmyfaq.de/security/advisory-2018-09-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HFW2-FVXC-CCVP

Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08
VLAI
Details

A CWE-1236: Improper Neutralization of Formula Elements in a CSV File vulnerability exists in Easergy T300 with firmware V2.7.1 and older that would allow arbitrary command execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22771"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-21T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "A CWE-1236: Improper Neutralization of Formula Elements in a CSV File vulnerability exists in Easergy T300 with firmware V2.7.1 and older that would allow arbitrary command execution.",
  "id": "GHSA-hfw2-fvxc-ccvp",
  "modified": "2022-05-24T19:08:47Z",
  "published": "2022-05-24T19:08:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22771"
    },
    {
      "type": "WEB",
      "url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HJC7-GRQV-7X6Q

Vulnerability from github – Published: 2022-11-07 12:00 – Updated: 2022-11-10 12:01
VLAI
Details

The Import and export users and customers WordPress plugin before 1.20.5 does not properly escape data when exporting it via CSV files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3558"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-07T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Import and export users and customers WordPress plugin before 1.20.5 does not properly escape data when exporting it via CSV files.",
  "id": "GHSA-hjc7-grqv-7x6q",
  "modified": "2022-11-10T12:01:04Z",
  "published": "2022-11-07T12:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3558"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?new=2798139%40import-users-from-csv-with-meta\u0026old=2785785%40import-users-from-csv-with-meta"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/e3d72e04-9cdf-4b7d-953e-876e26abdfc6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HM75-8W6H-4F8F

Vulnerability from github – Published: 2023-06-23 15:30 – Updated: 2023-06-30 20:17
VLAI
Summary
Admidio Improper Neutralization of Formula Elements in a CSV File vulnerability
Details

Admidio prior to 4.2.9 is vulnerable toImproper Neutralization of Formula Elements in a CSV File.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "admidio/admidio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-3302"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-23T21:46:18Z",
    "nvd_published_at": "2023-06-23T13:15:10Z",
    "severity": "HIGH"
  },
  "details": "Admidio prior to 4.2.9 is vulnerable toImproper Neutralization of Formula Elements in a CSV File.",
  "id": "GHSA-hm75-8w6h-4f8f",
  "modified": "2023-06-30T20:17:57Z",
  "published": "2023-06-23T15:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3302"
    },
    {
      "type": "WEB",
      "url": "https://github.com/admidio/admidio/commit/c87a7074a1a73c4851263060afd76aa4d5b6415f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/admidio/admidio"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/5e18619f-8379-464a-aad2-65883bb4e81a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Admidio Improper Neutralization of Formula Elements in a CSV File vulnerability"
}

GHSA-HP3G-5VJ7-7HGC

Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2024-05-20 21:31
VLAI
Details

The TablePress plugin 1.9.2 for WordPress allows tablepress[data] CSV injection by Editor users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-20180"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-01-09T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The TablePress plugin 1.9.2 for WordPress allows tablepress[data] CSV injection by Editor users.",
  "id": "GHSA-hp3g-5vj7-7hgc",
  "modified": "2024-05-20T21:31:09Z",
  "published": "2022-05-24T17:05:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20180"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40Pablo0xSantiago/cve-2019-20180-tablepress-version-1-9-2-csv-injection-65309fcc8be8"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@Pablo0xSantiago/cve-2019-20180-tablepress-version-1-9-2-csv-injection-65309fcc8be8"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/support/topic/security-issue-cve-2019-20180-for-tablepress/#post-16282996"
    },
    {
      "type": "WEB",
      "url": "https://wpvulndb.com/vulnerabilities/10016"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HRFW-PWJG-7PRC

Vulnerability from github – Published: 2023-12-29 06:30 – Updated: 2024-08-27 21:31
VLAI
Details

CSV Injection vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows attackers to obtain sensitive information via the User Name field.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-29T04:15:09Z",
    "severity": "MODERATE"
  },
  "details": "CSV Injection vulnerability in Sesami Cash Point \u0026 Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows attackers to obtain sensitive information via the User Name field.",
  "id": "GHSA-hrfw-pwjg-7prc",
  "modified": "2024-08-27T21:31:10Z",
  "published": "2023-12-29T06:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31296"
    },
    {
      "type": "WEB",
      "url": "https://herolab.usd.de/en/security-advisories/usd-2022-0054"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HVWW-M87W-QFPC

Vulnerability from github – Published: 2025-12-08 12:30 – Updated: 2025-12-08 12:30
VLAI
Details

A security vulnerability has been detected in SourceCodester Inventory Management System 1.0. The affected element is an unknown function of the component SVC Report Export. Such manipulation leads to csv injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236",
      "CWE-74"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-08T11:15:48Z",
    "severity": "MODERATE"
  },
  "details": "A security vulnerability has been detected in SourceCodester Inventory Management System 1.0. The affected element is an unknown function of the component SVC Report Export. Such manipulation leads to csv injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.",
  "id": "GHSA-hvww-m87w-qfpc",
  "modified": "2025-12-08T12:30:26Z",
  "published": "2025-12-08T12:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14229"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.334671"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.334671"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.702119"
    },
    {
      "type": "WEB",
      "url": "https://www.notion.so/Spreadsheet-Formula-Injection-Leading-to-Remote-Code-Execution-in-SourceCodester-Inventory-Managemen-2b723917db8c80dfaaabe2b74d6f283d?source=copy_link"
    },
    {
      "type": "WEB",
      "url": "https://www.sourcecodester.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.