Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-J569-F347-3CGF

Vulnerability from github – Published: 2023-06-05 21:30 – Updated: 2024-04-04 04:32
VLAI
Details

Minical 1.0.0 and earlier contains a CSV injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on the Customer Name field in the Accounting module that is used to construct a CSV file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-33410"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-05T21:15:11Z",
    "severity": "HIGH"
  },
  "details": "Minical 1.0.0 and earlier contains a CSV injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on the Customer Name field in the Accounting module that is used to construct a CSV file.",
  "id": "GHSA-j569-f347-3cgf",
  "modified": "2024-04-04T04:32:21Z",
  "published": "2023-06-05T21:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33410"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Thirukrishnan/CVE-2023-33410"
    },
    {
      "type": "WEB",
      "url": "https://github.com/minical/minical"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J5Q7-FP4M-M2WP

Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18
VLAI
Details

A CSV Injection vulnerability was discovered in Shopy Point of Sale v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10258"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-01T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "A CSV Injection vulnerability was discovered in Shopy Point of Sale v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.",
  "id": "GHSA-j5q7-fp4m-m2wp",
  "modified": "2022-05-13T01:18:49Z",
  "published": "2022-05-13T01:18:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10258"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44534"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/147362/Shopy-Point-Of-Sale-1.0-CSV-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J6CP-32XJ-XR29

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

phpMyAdmin through 5.0.2 allows CSV injection via Export Section

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-22278"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-04T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "phpMyAdmin through 5.0.2 allows CSV injection via Export Section",
  "id": "GHSA-j6cp-32xj-xr29",
  "modified": "2022-05-24T17:33:07Z",
  "published": "2022-05-24T17:33:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22278"
    },
    {
      "type": "WEB",
      "url": "https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22278.pdf"
    },
    {
      "type": "WEB",
      "url": "https://mega.nz/file/ySQnlQSR#vXzY46mgf0CE2ysYpWpbE4O6T_g37--rtaL8pqdHcQs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-J77H-M5QV-6JF7

Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2022-09-21 00:00
VLAI
Details

The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-16T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data",
  "id": "GHSA-j77h-m5qv-6jf7",
  "modified": "2022-09-21T00:00:46Z",
  "published": "2022-09-17T00:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2798"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/f169567d-c682-4abe-94df-a9d00be90edd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JG4Q-MPRJ-P635

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05
VLAI
Details

Akaunting <= 2.0.9 is vulnerable to CSV injection in the Item name field, export function. Attackers can inject arbitrary code into the name parameter and perform code execution when the crafted file is opened.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-22390"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-21T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Akaunting \u003c= 2.0.9 is vulnerable to CSV injection in the Item name field, export function. Attackers can inject arbitrary code into the name parameter and perform code execution when the crafted file is opened.",
  "id": "GHSA-jg4q-mprj-p635",
  "modified": "2022-05-24T19:05:45Z",
  "published": "2022-05-24T19:05:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22390"
    },
    {
      "type": "WEB",
      "url": "https://cqinfo.la/csv-injection-in-akaunting"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-JMM5-HJQM-WQ94

Vulnerability from github – Published: 2024-05-01 18:30 – Updated: 2024-05-01 18:30
VLAI
Details

IBM WebSphere Automation 1.7.0 could allow an attacker with privileged access to the network to conduct a CSV injection. An attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 285623.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-28764"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-01T17:15:31Z",
    "severity": "MODERATE"
  },
  "details": "IBM WebSphere Automation 1.7.0 could allow an attacker with privileged access to the network to conduct a CSV injection.  An attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents.  IBM X-Force ID:  285623.",
  "id": "GHSA-jmm5-hjqm-wq94",
  "modified": "2024-05-01T18:30:41Z",
  "published": "2024-05-01T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28764"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/285623"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7149857"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQRP-58FV-W8CQ

Vulnerability from github – Published: 2025-10-16 20:48 – Updated: 2025-10-16 20:48
VLAI
Summary
bagisto has CSV Formula Injection in Create New Product
Details

Summary

When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This allows an attacker to supply a CSV field (e.g., product name) that contains a formula which may be evaluated by a victim’s spreadsheet application — potentially leading to data exfiltration and remote command execution (via older Excel exploits / OLE/cmd constructs or Excel macros).

Details

Spreadsheet applications treat cell text that begins with characters =, +, -, @ as formulas. If unescaped, spreadsheet will interpret and evaluate the content when the file is opened. The application fails to neutralize/escape leading formula characters when generating CSV or when accepting CSV import fields for display/export.

PoC

Insert CSV formula to the product name field, and save the changes. Export it to CSV file, open it and the calc.exe will be executed. Other CSV export functions are affected as well. http://127.0.0.1/admin/catalog/products/edit/1 image image

Impact

Data exfiltration: Using spreadsheet functions (e.g., WEBSERVICE, HYPERLINK, or concatenation to create requests) on victims' machines that make network calls. Remote command execution: In some historical cases, specially crafted formulas and older Excel behaviors can lead to RCE. Modern Excel hardens many of these, but risk remains depending on environment.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.7"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "bagisto/bagisto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62417"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-16T20:48:11Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\nWhen product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This allows an attacker to supply a CSV field (e.g., product name) that contains a formula which may be evaluated by a victim\u2019s spreadsheet application \u2014 potentially leading to data exfiltration and remote command execution (via older Excel exploits / OLE/cmd constructs or Excel macros).\n\n### Details\nSpreadsheet applications treat cell text that begins with characters =, +, -, @ as formulas. If unescaped, spreadsheet will interpret and evaluate the content when the file is opened. The application fails to neutralize/escape leading formula characters when generating CSV or when accepting CSV import fields for display/export.\n\n### PoC\nInsert CSV formula to the product name field, and save the changes. Export it to CSV file, open it and the calc.exe will be executed. Other CSV export functions are affected as well.\nhttp://127.0.0.1/admin/catalog/products/edit/1\n\u003cimg width=\"408\" height=\"302\" alt=\"image\" src=\"https://github.com/user-attachments/assets/2c6fd1e3-6725-4bf4-9c64-20cd57f4e279\" /\u003e\n\u003cimg width=\"1696\" height=\"854\" alt=\"image\" src=\"https://github.com/user-attachments/assets/911a69ae-65ac-4a8a-ad8e-63571a9610c8\" /\u003e\n\n### Impact\nData exfiltration: Using spreadsheet functions (e.g., WEBSERVICE, HYPERLINK, or concatenation to create requests) on victims\u0027 machines that make network calls.\nRemote command execution: In some historical cases, specially crafted formulas and older Excel behaviors can lead to RCE. Modern Excel hardens many of these, but risk remains depending on environment.",
  "id": "GHSA-jqrp-58fv-w8cq",
  "modified": "2025-10-16T20:48:11Z",
  "published": "2025-10-16T20:48:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-jqrp-58fv-w8cq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bagisto/bagisto/commit/8076c708498a0187bc952d5f5f705e0cb1919682"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bagisto/bagisto"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "bagisto has CSV Formula Injection in Create New Product"
}

GHSA-JVG2-RVXJ-JMP7

Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21
VLAI
Details

CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form 7 to Database Extension plugin 2.10.32 for WordPress allows remote attackers to inject spreadsheet formulas into CSV files via the contact form.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-9035"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-04T19:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form 7 to Database Extension plugin 2.10.32 for WordPress allows remote attackers to inject spreadsheet formulas into CSV files via the contact form.",
  "id": "GHSA-jvg2-rvxj-jmp7",
  "modified": "2022-05-13T01:21:04Z",
  "published": "2022-05-13T01:21:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9035"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44367"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M386-MVXC-MMQ3

Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18
VLAI
Details

There is a CSV injection vulnerability in ManageOne, iManager NetEco and iManager NetEco 6000. An attacker with high privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to the target device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37131"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-27T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "There is a CSV injection vulnerability in ManageOne, iManager NetEco and iManager NetEco 6000. An attacker with high privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to the target device.",
  "id": "GHSA-m386-mvxc-mmq3",
  "modified": "2022-05-24T19:18:58Z",
  "published": "2022-05-24T19:18:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37131"
    },
    {
      "type": "WEB",
      "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20211020-01-csv-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-M4WH-62FQ-HGH7

Vulnerability from github – Published: 2025-10-14 15:31 – Updated: 2025-10-14 15:31
VLAI
Details

An Improper Neutralization of Formula Elements in a CSV File vulnerability exists in System Diagnostics Manager (SDM) of B&R Automation Runtime versions before 6.4 enabling a remote attacker to inject formula data into a generated CSV file. The exploitation of this vulnerability requires the attacker to create a malicious link. The user would need to click on this link, after which the resulting CSV file addi-tionally needs to be manually opened.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11498"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T13:15:36Z",
    "severity": "MODERATE"
  },
  "details": "An Improper Neutralization of Formula Elements in a CSV File vulnerability exists in System Diagnostics Manager (SDM) of B\u0026R Automation Runtime versions before 6.4 enabling a remote attacker to inject formula data into a generated CSV file. The exploitation of this vulnerability requires the attacker to create a malicious link. The user would need to click on this link, after which the resulting CSV file addi-tionally needs to be manually opened.",
  "id": "GHSA-m4wh-62fq-hgh7",
  "modified": "2025-10-14T15:31:25Z",
  "published": "2025-10-14T15:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11498"
    },
    {
      "type": "WEB",
      "url": "https://www.br-automation.com/fileadmin/SA25P003-178b6a20.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.