CWE-1236
AllowedImproper Neutralization of Formula Elements in a CSV File
Abstraction: Base · Status: Incomplete
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
401 vulnerabilities reference this CWE, most recent first.
GHSA-PQFM-Q79F-GFXC
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2024-03-21 03:33** DISPUTED ** CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated "this is not a security problem in DokuWiki."
{
"affected": [],
"aliases": [
"CVE-2018-15474"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-07T22:29:00Z",
"severity": "CRITICAL"
},
"details": "** DISPUTED ** CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated \"this is not a security problem in DokuWiki.\"",
"id": "GHSA-pqfm-q79f-gfxc",
"modified": "2024-03-21T03:33:32Z",
"published": "2022-05-13T01:19:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15474"
},
{
"type": "WEB",
"url": "https://github.com/splitbrain/dokuwiki/issues/2450"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2018/Sep/4"
},
{
"type": "WEB",
"url": "https://www.patreon.com/posts/unfixed-security-21250652"
},
{
"type": "WEB",
"url": "https://www.sec-consult.com/en/blog/advisories/dokuwiki-csv-formula-injection-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PVJ2-28FW-3GC8
Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2022-09-18 00:00CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system.
{
"affected": [],
"aliases": [
"CVE-2022-38844"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-16T14:15:00Z",
"severity": "HIGH"
},
"details": "CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system.",
"id": "GHSA-pvj2-28fw-3gc8",
"modified": "2022-09-18T00:00:32Z",
"published": "2022-09-17T00:00:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38844"
},
{
"type": "WEB",
"url": "https://medium.com/cybersecurity-valuelabs/espocrm-7-1-8-is-vulnerable-to-csv-injection-4c07494e2a76"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PWPX-FV8F-9458
Vulnerability from github – Published: 2023-04-25 15:30 – Updated: 2024-04-04 03:40ChurchCRM 4.5.3 was discovered to contain a CSV injection vulnerability via the Last Name and First Name input fields when creating a new person. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file.
{
"affected": [],
"aliases": [
"CVE-2023-25348"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-25T13:15:09Z",
"severity": "HIGH"
},
"details": "ChurchCRM 4.5.3 was discovered to contain a CSV injection vulnerability via the Last Name and First Name input fields when creating a new person. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file.",
"id": "GHSA-pwpx-fv8f-9458",
"modified": "2024-04-04T03:40:28Z",
"published": "2023-04-25T15:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25348"
},
{
"type": "WEB",
"url": "https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-25348"
},
{
"type": "WEB",
"url": "https://github.com/ChurchCRM/CRM"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PX5R-QP49-693Q
Vulnerability from github – Published: 2026-04-14 15:30 – Updated: 2026-04-16 15:31An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field
{
"affected": [],
"aliases": [
"CVE-2026-31049"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T14:16:13Z",
"severity": "CRITICAL"
},
"details": "An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field",
"id": "GHSA-px5r-qp49-693q",
"modified": "2026-04-16T15:31:29Z",
"published": "2026-04-14T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31049"
},
{
"type": "WEB",
"url": "https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory"
},
{
"type": "WEB",
"url": "https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Missing%20Server-Side%20Validation/Registration%20fields%20%26%20Import%20Csv"
},
{
"type": "WEB",
"url": "https://hostbillapp.com/changelog"
},
{
"type": "WEB",
"url": "https://hostbillapp.com/release-notes/11-27-2025.html"
},
{
"type": "WEB",
"url": "https://hostbillapp.com/release-notes/12-01-2025.html"
},
{
"type": "WEB",
"url": "https://hostbillapp.com/responsible-disclosure"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q3Q6-3X37-G8GW
Vulnerability from github – Published: 2024-04-09 21:32 – Updated: 2026-04-08 18:32The Relevanssi – A Better Search plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 4.22.1. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
{
"affected": [],
"aliases": [
"CVE-2024-3214"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T19:15:40Z",
"severity": "MODERATE"
},
"details": "The Relevanssi \u2013 A Better Search plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 4.22.1. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.",
"id": "GHSA-q3q6-3x37-g8gw",
"modified": "2026-04-08T18:32:57Z",
"published": "2024-04-09T21:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3214"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3064304/relevanssi/tags/4.22.2/lib/log.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9960bae9-6f19-49eb-8f24-fdde4933671e?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q693-V7QF-P4XJ
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2025-06-19 18:40Alkacon OpenCMS v10.5.4 and before is affected by CSV (aka Excel Macro) Injection in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp) via the First Name or Last Name.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.opencms:opencms-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-11819"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-19T18:40:41Z",
"nvd_published_at": "2019-05-08T16:29:00Z",
"severity": "HIGH"
},
"details": "Alkacon OpenCMS v10.5.4 and before is affected by CSV (aka Excel Macro) Injection in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp) via the First Name or Last Name.",
"id": "GHSA-q693-v7qf-p4xj",
"modified": "2025-06-19T18:40:42Z",
"published": "2022-05-24T16:45:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11819"
},
{
"type": "WEB",
"url": "https://github.com/alkacon/opencms-core/issues/636"
},
{
"type": "PACKAGE",
"url": "https://github.com/alkacon/opencms-core"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2019/05/05/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Alkacon OpenCMS CSV Injection via New User module"
}
GHSA-Q6V6-32HH-PQ9P
Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 21:33Improper Neutralization of Formula Elements in a CSV File vulnerability in WPDeveloper ReviewX – Multi-criteria Rating & Reviews for WooCommerce.This issue affects ReviewX – Multi-criteria Rating & Reviews for WooCommerce: from n/a through 1.6.7.
{
"affected": [],
"aliases": [
"CVE-2022-46809"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T17:15:09Z",
"severity": "CRITICAL"
},
"details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in WPDeveloper ReviewX \u2013 Multi-criteria Rating \u0026 Reviews for WooCommerce.This issue affects ReviewX \u2013 Multi-criteria Rating \u0026 Reviews for WooCommerce: from n/a through 1.6.7.",
"id": "GHSA-q6v6-32hh-pq9p",
"modified": "2026-04-28T21:33:02Z",
"published": "2023-11-07T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46809"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/reviewx/vulnerability/wordpress-reviewx-plugin-1-6-6-csv-injection?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/reviewx/wordpress-reviewx-plugin-1-6-6-csv-injection?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q798-PWW9-Q6HP
Vulnerability from github – Published: 2025-01-24 00:31 – Updated: 2025-01-24 21:31KWHotel 0.47 is vulnerable to CSV Formula Injection in the add guest function.
{
"affected": [],
"aliases": [
"CVE-2023-46400"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-23T22:15:12Z",
"severity": "MODERATE"
},
"details": "KWHotel 0.47 is vulnerable to CSV Formula Injection in the add guest function.",
"id": "GHSA-q798-pww9-q6hp",
"modified": "2025-01-24T21:31:27Z",
"published": "2025-01-24T00:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46400"
},
{
"type": "WEB",
"url": "https://gist.github.com/6en6ar/5d39374d6ced8acbe489e0b1b932d056"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q9RQ-5HWP-7WQ9
Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 21:33Improper Neutralization of Formula Elements in a CSV File vulnerability in Noptin Newsletter Simple Newsletter Plugin – Noptin.This issue affects Simple Newsletter Plugin – Noptin: from n/a through 1.9.5.
{
"affected": [],
"aliases": [
"CVE-2022-46803"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T17:15:08Z",
"severity": "CRITICAL"
},
"details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Noptin Newsletter Simple Newsletter Plugin \u2013 Noptin.This issue affects Simple Newsletter Plugin \u2013 Noptin: from n/a through 1.9.5.",
"id": "GHSA-q9rq-5hwp-7wq9",
"modified": "2026-04-28T21:33:02Z",
"published": "2023-11-07T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46803"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/newsletter-optin-box/vulnerability/wordpress-simple-newsletter-plugin-noptin-plugin-1-9-5-unauth-csv-injection-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/newsletter-optin-box/wordpress-simple-newsletter-plugin-noptin-plugin-1-9-5-unauth-csv-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QFH6-H7J6-FVJV
Vulnerability from github – Published: 2026-02-03 12:30 – Updated: 2026-02-03 19:06A flaw was found in Moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0-beta"
},
{
"fixed": "4.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.5.0-beta"
},
{
"fixed": "4.5.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-beta"
},
{
"fixed": "5.0.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "5.1.0-beta"
},
{
"fixed": "5.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-67851"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-03T19:06:25Z",
"nvd_published_at": "2026-02-03T11:15:55Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet.",
"id": "GHSA-qfh6-h7j6-fvjv",
"modified": "2026-02-03T19:06:25Z",
"published": "2026-02-03T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67851"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/29820c5ff4ef381c7a743091ec5c68ac82903b22"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/aa66bacd0783cbc33528fba9c2adca1f685a59bd"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/dc57ccc491a2a04032445a3ee92fd0d335ebd746"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-67851"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423841"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=471301"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Moodle formula injection vulnerability"
}
Mitigation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No CAPEC attack patterns related to this CWE.