Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-QGF9-6CXX-Q2QV

Vulnerability from github – Published: 2024-04-04 09:30 – Updated: 2025-03-28 21:30
VLAI
Details

CSV Injection vulnerability in Addactis IBNRS v.3.10.3.107 allows a remote attacker to execute arbitrary code via a crafted .ibnrs file to the Project Description, Identifiers, Custom Triangle Name (inside Input Triangles) and Yield Curve Name parameters.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-29375"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-04T07:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "CSV Injection vulnerability in Addactis IBNRS v.3.10.3.107 allows a remote attacker to execute arbitrary code via a crafted .ibnrs file to the Project Description, Identifiers, Custom Triangle Name (inside Input Triangles) and Yield Curve Name parameters.",
  "id": "GHSA-qgf9-6cxx-q2qv",
  "modified": "2025-03-28T21:30:39Z",
  "published": "2024-04-04T09:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29375"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ismailcemunver/CVE-2024-29375"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QHV9-5QRV-2R67

Vulnerability from github – Published: 2023-11-13 21:30 – Updated: 2026-04-28 15:30
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in Lenderd 1003 Mortgage Application.This issue affects 1003 Mortgage Application: from n/a through 1.75.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-45357"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T16:15:27Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Lenderd 1003 Mortgage Application.This issue affects 1003 Mortgage Application: from n/a through 1.75.",
  "id": "GHSA-qhv9-5qrv-2r67",
  "modified": "2026-04-28T15:30:34Z",
  "published": "2023-11-13T21:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45357"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/1003-mortgage-application/vulnerability/wordpress-1003-mortgage-application-plugin-1-73-csv-injection?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/1003-mortgage-application/wordpress-1003-mortgage-application-plugin-1-73-csv-injection?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QP7G-V294-G9HJ

Vulnerability from github – Published: 2022-11-01 12:00 – Updated: 2022-11-03 12:00
VLAI
Details

The application was identified to have an CSV injection in data export functionality, allowing for malicious code to be embedded within export data and then triggered in exported data viewers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40294"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-31T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "The application was identified to have an CSV injection in data export functionality, allowing for malicious code to be embedded within export data and then triggered in exported data viewers.",
  "id": "GHSA-qp7g-v294-g9hj",
  "modified": "2022-11-03T12:00:27Z",
  "published": "2022-11-01T12:00:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40294"
    },
    {
      "type": "WEB",
      "url": "https://www.themissinglink.com.au/security-advisories/cve-2022-40294"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QPCV-WR8H-9QCH

Vulnerability from github – Published: 2023-11-15 21:35 – Updated: 2026-04-28 15:30
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in GiveWP.This issue affects GiveWP: from n/a through 2.25.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22719"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T16:15:28Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in GiveWP.This issue affects GiveWP: from n/a through 2.25.1.",
  "id": "GHSA-qpcv-wr8h-9qch",
  "modified": "2026-04-28T15:30:34Z",
  "published": "2023-11-15T21:35:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22719"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/give/vulnerability/wordpress-givewp-plugin-2-25-1-csv-injection-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/give/wordpress-givewp-plugin-2-25-1-csv-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QPQQ-223W-7PWH

Vulnerability from github – Published: 2025-12-18 00:34 – Updated: 2025-12-18 00:34
VLAI
Details

ProjectSend r1605 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into user profile names. Attackers can craft payloads like =calc|a!z| in the name field to trigger code execution when administrators export action logs as CSV files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53905"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-17T23:15:48Z",
    "severity": "MODERATE"
  },
  "details": "ProjectSend r1605 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into user profile names. Attackers can craft payloads like =calc|a!z| in the name field to trigger code execution when administrators export action logs as CSV files.",
  "id": "GHSA-qpqq-223w-7pwh",
  "modified": "2025-12-18T00:34:07Z",
  "published": "2025-12-18T00:34:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53905"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/51517"
    },
    {
      "type": "WEB",
      "url": "https://www.projectsend.org"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/projectsend-csv-injection-via-user-account-export-functionality"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-QR42-XHM2-JG7W

Vulnerability from github – Published: 2025-02-19 21:31 – Updated: 2025-02-20 15:31
VLAI
Details

PHPJabbers Event Booking Calendar v4.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-51298"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-19T20:15:34Z",
    "severity": "MODERATE"
  },
  "details": "PHPJabbers Event Booking Calendar v4.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.",
  "id": "GHSA-qr42-xhm2-jg7w",
  "modified": "2025-02-20T15:31:06Z",
  "published": "2025-02-19T21:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51298"
    },
    {
      "type": "WEB",
      "url": "https://www.phpjabbers.com/event-booking-calendar/#sectionDemo"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/176487/PHPJabbers-Event-Booking-Calendar-4.0-CSV-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QV7C-W6CP-C775

Vulnerability from github – Published: 2026-06-15 15:31 – Updated: 2026-06-15 15:31
VLAI
Details

Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc. Pizzy Library allows Code Injection.

This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5242"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-15T14:16:37Z",
    "severity": "HIGH"
  },
  "details": "Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc. Pizzy Library allows Code Injection.\n\nThis issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.",
  "id": "GHSA-qv7c-w6cp-c775",
  "modified": "2026-06-15T15:31:33Z",
  "published": "2026-06-15T15:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5242"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0383"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QXGQ-6J8M-J2XM

Vulnerability from github – Published: 2022-12-12 15:30 – Updated: 2022-12-15 15:32
VLAI
Details

Vulnerabilities in ArubaOS running on 7xxx series controllers exist that allows an attacker to execute arbitrary code during the boot sequence. Successful exploitation could allow an attacker to achieve permanent modification of the underlying operating system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-37905"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-12T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "Vulnerabilities in ArubaOS running on 7xxx series controllers exist that allows an attacker to execute arbitrary code during the boot sequence. Successful exploitation could allow an attacker to achieve permanent modification of the underlying operating system.",
  "id": "GHSA-qxgq-6j8m-j2xm",
  "modified": "2022-12-15T15:32:13Z",
  "published": "2022-12-12T15:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37905"
    },
    {
      "type": "WEB",
      "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-016.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R34M-Q473-J9RR

Vulnerability from github – Published: 2025-02-19 21:31 – Updated: 2025-02-20 15:31
VLAI
Details

PHPJabbers Hotel Booking System v4.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-51302"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-19T21:15:14Z",
    "severity": "HIGH"
  },
  "details": "PHPJabbers Hotel Booking System v4.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.",
  "id": "GHSA-r34m-q473-j9rr",
  "modified": "2025-02-20T15:31:08Z",
  "published": "2025-02-19T21:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51302"
    },
    {
      "type": "WEB",
      "url": "https://www.phpjabbers.com/hotel-booking-system/#sectionDemo"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/176489/PHPJabbers-Hotel-Booking-System-4.0-CSV-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R4HX-4864-RMCP

Vulnerability from github – Published: 2023-11-13 21:30 – Updated: 2026-04-28 15:30
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in WebToffee Product Reviews Import Export for WooCommerce.This issue affects Product Reviews Import Export for WooCommerce: from n/a through 1.4.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46802"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T16:15:28Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in WebToffee Product Reviews Import Export for WooCommerce.This issue affects Product Reviews Import Export for WooCommerce: from n/a through 1.4.8.",
  "id": "GHSA-r4hx-4864-rmcp",
  "modified": "2026-04-28T15:30:34Z",
  "published": "2023-11-13T21:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46802"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/product-reviews-import-export-for-woocommerce/vulnerability/wordpress-product-reviews-import-export-for-woocommerce-plugin-1-4-8-unauth-csv-injection-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/product-reviews-import-export-for-woocommerce/wordpress-product-reviews-import-export-for-woocommerce-plugin-1-4-8-unauth-csv-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.