Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-PQFM-Q79F-GFXC

Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2024-03-21 03:33
VLAI
Details

** DISPUTED ** CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated "this is not a security problem in DokuWiki."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15474"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-07T22:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "** DISPUTED ** CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export.  NOTE: the vendor has stated \"this is not a security problem in DokuWiki.\"",
  "id": "GHSA-pqfm-q79f-gfxc",
  "modified": "2024-03-21T03:33:32Z",
  "published": "2022-05-13T01:19:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15474"
    },
    {
      "type": "WEB",
      "url": "https://github.com/splitbrain/dokuwiki/issues/2450"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2018/Sep/4"
    },
    {
      "type": "WEB",
      "url": "https://www.patreon.com/posts/unfixed-security-21250652"
    },
    {
      "type": "WEB",
      "url": "https://www.sec-consult.com/en/blog/advisories/dokuwiki-csv-formula-injection-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PVJ2-28FW-3GC8

Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2022-09-18 00:00
VLAI
Details

CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38844"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-16T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system.",
  "id": "GHSA-pvj2-28fw-3gc8",
  "modified": "2022-09-18T00:00:32Z",
  "published": "2022-09-17T00:00:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38844"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/cybersecurity-valuelabs/espocrm-7-1-8-is-vulnerable-to-csv-injection-4c07494e2a76"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PWPX-FV8F-9458

Vulnerability from github – Published: 2023-04-25 15:30 – Updated: 2024-04-04 03:40
VLAI
Details

ChurchCRM 4.5.3 was discovered to contain a CSV injection vulnerability via the Last Name and First Name input fields when creating a new person. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-25348"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-25T13:15:09Z",
    "severity": "HIGH"
  },
  "details": "ChurchCRM 4.5.3 was discovered to contain a CSV injection vulnerability via the Last Name and First Name input fields when creating a new person. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file.",
  "id": "GHSA-pwpx-fv8f-9458",
  "modified": "2024-04-04T03:40:28Z",
  "published": "2023-04-25T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25348"
    },
    {
      "type": "WEB",
      "url": "https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-25348"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ChurchCRM/CRM"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PX5R-QP49-693Q

Vulnerability from github – Published: 2026-04-14 15:30 – Updated: 2026-04-16 15:31
VLAI
Details

An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31049"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-14T14:16:13Z",
    "severity": "CRITICAL"
  },
  "details": "An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field",
  "id": "GHSA-px5r-qp49-693q",
  "modified": "2026-04-16T15:31:29Z",
  "published": "2026-04-14T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31049"
    },
    {
      "type": "WEB",
      "url": "https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Missing%20Server-Side%20Validation/Registration%20fields%20%26%20Import%20Csv"
    },
    {
      "type": "WEB",
      "url": "https://hostbillapp.com/changelog"
    },
    {
      "type": "WEB",
      "url": "https://hostbillapp.com/release-notes/11-27-2025.html"
    },
    {
      "type": "WEB",
      "url": "https://hostbillapp.com/release-notes/12-01-2025.html"
    },
    {
      "type": "WEB",
      "url": "https://hostbillapp.com/responsible-disclosure"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3Q6-3X37-G8GW

Vulnerability from github – Published: 2024-04-09 21:32 – Updated: 2026-04-08 18:32
VLAI
Details

The Relevanssi – A Better Search plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 4.22.1. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3214"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-09T19:15:40Z",
    "severity": "MODERATE"
  },
  "details": "The Relevanssi \u2013 A Better Search plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 4.22.1. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.",
  "id": "GHSA-q3q6-3x37-g8gw",
  "modified": "2026-04-08T18:32:57Z",
  "published": "2024-04-09T21:32:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3214"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3064304/relevanssi/tags/4.22.2/lib/log.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9960bae9-6f19-49eb-8f24-fdde4933671e?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q693-V7QF-P4XJ

Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2025-06-19 18:40
VLAI
Summary
Alkacon OpenCMS CSV Injection via New User module
Details

Alkacon OpenCMS v10.5.4 and before is affected by CSV (aka Excel Macro) Injection in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp) via the First Name or Last Name.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencms:opencms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-11819"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-19T18:40:41Z",
    "nvd_published_at": "2019-05-08T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "Alkacon OpenCMS v10.5.4 and before is affected by CSV (aka Excel Macro) Injection in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp) via the First Name or Last Name.",
  "id": "GHSA-q693-v7qf-p4xj",
  "modified": "2025-06-19T18:40:42Z",
  "published": "2022-05-24T16:45:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11819"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alkacon/opencms-core/issues/636"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/alkacon/opencms-core"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2019/05/05/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Alkacon OpenCMS CSV Injection via New User module"
}

GHSA-Q6V6-32HH-PQ9P

Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 21:33
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in WPDeveloper ReviewX – Multi-criteria Rating & Reviews for WooCommerce.This issue affects ReviewX – Multi-criteria Rating & Reviews for WooCommerce: from n/a through 1.6.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46809"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T17:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in WPDeveloper ReviewX \u2013 Multi-criteria Rating \u0026 Reviews for WooCommerce.This issue affects ReviewX \u2013 Multi-criteria Rating \u0026 Reviews for WooCommerce: from n/a through 1.6.7.",
  "id": "GHSA-q6v6-32hh-pq9p",
  "modified": "2026-04-28T21:33:02Z",
  "published": "2023-11-07T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46809"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/reviewx/vulnerability/wordpress-reviewx-plugin-1-6-6-csv-injection?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/reviewx/wordpress-reviewx-plugin-1-6-6-csv-injection?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q798-PWW9-Q6HP

Vulnerability from github – Published: 2025-01-24 00:31 – Updated: 2025-01-24 21:31
VLAI
Details

KWHotel 0.47 is vulnerable to CSV Formula Injection in the add guest function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46400"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-23T22:15:12Z",
    "severity": "MODERATE"
  },
  "details": "KWHotel 0.47 is vulnerable to CSV Formula Injection in the add guest function.",
  "id": "GHSA-q798-pww9-q6hp",
  "modified": "2025-01-24T21:31:27Z",
  "published": "2025-01-24T00:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46400"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/6en6ar/5d39374d6ced8acbe489e0b1b932d056"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q9RQ-5HWP-7WQ9

Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 21:33
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in Noptin Newsletter Simple Newsletter Plugin – Noptin.This issue affects Simple Newsletter Plugin – Noptin: from n/a through 1.9.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T17:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Noptin Newsletter Simple Newsletter Plugin \u2013 Noptin.This issue affects Simple Newsletter Plugin \u2013 Noptin: from n/a through 1.9.5.",
  "id": "GHSA-q9rq-5hwp-7wq9",
  "modified": "2026-04-28T21:33:02Z",
  "published": "2023-11-07T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46803"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/newsletter-optin-box/vulnerability/wordpress-simple-newsletter-plugin-noptin-plugin-1-9-5-unauth-csv-injection-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/newsletter-optin-box/wordpress-simple-newsletter-plugin-noptin-plugin-1-9-5-unauth-csv-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QFH6-H7J6-FVJV

Vulnerability from github – Published: 2026-02-03 12:30 – Updated: 2026-02-03 19:06
VLAI
Summary
Moodle formula injection vulnerability
Details

A flaw was found in Moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.4.0-beta"
            },
            {
              "fixed": "4.4.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.5.0-beta"
            },
            {
              "fixed": "4.5.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-beta"
            },
            {
              "fixed": "5.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.1.0-beta"
            },
            {
              "fixed": "5.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-67851"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-03T19:06:25Z",
    "nvd_published_at": "2026-02-03T11:15:55Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet.",
  "id": "GHSA-qfh6-h7j6-fvjv",
  "modified": "2026-02-03T19:06:25Z",
  "published": "2026-02-03T12:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67851"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moodle/moodle/commit/29820c5ff4ef381c7a743091ec5c68ac82903b22"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moodle/moodle/commit/aa66bacd0783cbc33528fba9c2adca1f685a59bd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moodle/moodle/commit/dc57ccc491a2a04032445a3ee92fd0d335ebd746"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-67851"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423841"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/moodle/moodle"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=471301"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Moodle formula injection vulnerability"
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.