CWE-1236
AllowedImproper Neutralization of Formula Elements in a CSV File
Abstraction: Base · Status: Incomplete
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
401 vulnerabilities reference this CWE, most recent first.
GHSA-QGF9-6CXX-Q2QV
Vulnerability from github – Published: 2024-04-04 09:30 – Updated: 2025-03-28 21:30CSV Injection vulnerability in Addactis IBNRS v.3.10.3.107 allows a remote attacker to execute arbitrary code via a crafted .ibnrs file to the Project Description, Identifiers, Custom Triangle Name (inside Input Triangles) and Yield Curve Name parameters.
{
"affected": [],
"aliases": [
"CVE-2024-29375"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-04T07:15:08Z",
"severity": "CRITICAL"
},
"details": "CSV Injection vulnerability in Addactis IBNRS v.3.10.3.107 allows a remote attacker to execute arbitrary code via a crafted .ibnrs file to the Project Description, Identifiers, Custom Triangle Name (inside Input Triangles) and Yield Curve Name parameters.",
"id": "GHSA-qgf9-6cxx-q2qv",
"modified": "2025-03-28T21:30:39Z",
"published": "2024-04-04T09:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29375"
},
{
"type": "WEB",
"url": "https://github.com/ismailcemunver/CVE-2024-29375"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QHV9-5QRV-2R67
Vulnerability from github – Published: 2023-11-13 21:30 – Updated: 2026-04-28 15:30Improper Neutralization of Formula Elements in a CSV File vulnerability in Lenderd 1003 Mortgage Application.This issue affects 1003 Mortgage Application: from n/a through 1.75.
{
"affected": [],
"aliases": [
"CVE-2022-45357"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T16:15:27Z",
"severity": "CRITICAL"
},
"details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Lenderd 1003 Mortgage Application.This issue affects 1003 Mortgage Application: from n/a through 1.75.",
"id": "GHSA-qhv9-5qrv-2r67",
"modified": "2026-04-28T15:30:34Z",
"published": "2023-11-13T21:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45357"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/1003-mortgage-application/vulnerability/wordpress-1003-mortgage-application-plugin-1-73-csv-injection?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/1003-mortgage-application/wordpress-1003-mortgage-application-plugin-1-73-csv-injection?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QP7G-V294-G9HJ
Vulnerability from github – Published: 2022-11-01 12:00 – Updated: 2022-11-03 12:00The application was identified to have an CSV injection in data export functionality, allowing for malicious code to be embedded within export data and then triggered in exported data viewers.
{
"affected": [],
"aliases": [
"CVE-2022-40294"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-31T21:15:00Z",
"severity": "HIGH"
},
"details": "The application was identified to have an CSV injection in data export functionality, allowing for malicious code to be embedded within export data and then triggered in exported data viewers.",
"id": "GHSA-qp7g-v294-g9hj",
"modified": "2022-11-03T12:00:27Z",
"published": "2022-11-01T12:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40294"
},
{
"type": "WEB",
"url": "https://www.themissinglink.com.au/security-advisories/cve-2022-40294"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QPCV-WR8H-9QCH
Vulnerability from github – Published: 2023-11-15 21:35 – Updated: 2026-04-28 15:30Improper Neutralization of Formula Elements in a CSV File vulnerability in GiveWP.This issue affects GiveWP: from n/a through 2.25.1.
{
"affected": [],
"aliases": [
"CVE-2023-22719"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T16:15:28Z",
"severity": "CRITICAL"
},
"details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in GiveWP.This issue affects GiveWP: from n/a through 2.25.1.",
"id": "GHSA-qpcv-wr8h-9qch",
"modified": "2026-04-28T15:30:34Z",
"published": "2023-11-15T21:35:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22719"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/give/vulnerability/wordpress-givewp-plugin-2-25-1-csv-injection-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/give/wordpress-givewp-plugin-2-25-1-csv-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QPQQ-223W-7PWH
Vulnerability from github – Published: 2025-12-18 00:34 – Updated: 2025-12-18 00:34ProjectSend r1605 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into user profile names. Attackers can craft payloads like =calc|a!z| in the name field to trigger code execution when administrators export action logs as CSV files.
{
"affected": [],
"aliases": [
"CVE-2023-53905"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-17T23:15:48Z",
"severity": "MODERATE"
},
"details": "ProjectSend r1605 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into user profile names. Attackers can craft payloads like =calc|a!z| in the name field to trigger code execution when administrators export action logs as CSV files.",
"id": "GHSA-qpqq-223w-7pwh",
"modified": "2025-12-18T00:34:07Z",
"published": "2025-12-18T00:34:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53905"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/51517"
},
{
"type": "WEB",
"url": "https://www.projectsend.org"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/projectsend-csv-injection-via-user-account-export-functionality"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QR42-XHM2-JG7W
Vulnerability from github – Published: 2025-02-19 21:31 – Updated: 2025-02-20 15:31PHPJabbers Event Booking Calendar v4.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.
{
"affected": [],
"aliases": [
"CVE-2023-51298"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-19T20:15:34Z",
"severity": "MODERATE"
},
"details": "PHPJabbers Event Booking Calendar v4.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.",
"id": "GHSA-qr42-xhm2-jg7w",
"modified": "2025-02-20T15:31:06Z",
"published": "2025-02-19T21:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51298"
},
{
"type": "WEB",
"url": "https://www.phpjabbers.com/event-booking-calendar/#sectionDemo"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/176487/PHPJabbers-Event-Booking-Calendar-4.0-CSV-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QV7C-W6CP-C775
Vulnerability from github – Published: 2026-06-15 15:31 – Updated: 2026-06-15 15:31Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc. Pizzy Library allows Code Injection.
This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.
{
"affected": [],
"aliases": [
"CVE-2026-5242"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-15T14:16:37Z",
"severity": "HIGH"
},
"details": "Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc. Pizzy Library allows Code Injection.\n\nThis issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.",
"id": "GHSA-qv7c-w6cp-c775",
"modified": "2026-06-15T15:31:33Z",
"published": "2026-06-15T15:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5242"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0383"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QXGQ-6J8M-J2XM
Vulnerability from github – Published: 2022-12-12 15:30 – Updated: 2022-12-15 15:32Vulnerabilities in ArubaOS running on 7xxx series controllers exist that allows an attacker to execute arbitrary code during the boot sequence. Successful exploitation could allow an attacker to achieve permanent modification of the underlying operating system.
{
"affected": [],
"aliases": [
"CVE-2022-37905"
],
"database_specific": {
"cwe_ids": [
"CWE-1236",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-12T13:15:00Z",
"severity": "HIGH"
},
"details": "Vulnerabilities in ArubaOS running on 7xxx series controllers exist that allows an attacker to execute arbitrary code during the boot sequence. Successful exploitation could allow an attacker to achieve permanent modification of the underlying operating system.",
"id": "GHSA-qxgq-6j8m-j2xm",
"modified": "2022-12-15T15:32:13Z",
"published": "2022-12-12T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37905"
},
{
"type": "WEB",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-016.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R34M-Q473-J9RR
Vulnerability from github – Published: 2025-02-19 21:31 – Updated: 2025-02-20 15:31PHPJabbers Hotel Booking System v4.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.
{
"affected": [],
"aliases": [
"CVE-2023-51302"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-19T21:15:14Z",
"severity": "HIGH"
},
"details": "PHPJabbers Hotel Booking System v4.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.",
"id": "GHSA-r34m-q473-j9rr",
"modified": "2025-02-20T15:31:08Z",
"published": "2025-02-19T21:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51302"
},
{
"type": "WEB",
"url": "https://www.phpjabbers.com/hotel-booking-system/#sectionDemo"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/176489/PHPJabbers-Hotel-Booking-System-4.0-CSV-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R4HX-4864-RMCP
Vulnerability from github – Published: 2023-11-13 21:30 – Updated: 2026-04-28 15:30Improper Neutralization of Formula Elements in a CSV File vulnerability in WebToffee Product Reviews Import Export for WooCommerce.This issue affects Product Reviews Import Export for WooCommerce: from n/a through 1.4.8.
{
"affected": [],
"aliases": [
"CVE-2022-46802"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T16:15:28Z",
"severity": "CRITICAL"
},
"details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in WebToffee Product Reviews Import Export for WooCommerce.This issue affects Product Reviews Import Export for WooCommerce: from n/a through 1.4.8.",
"id": "GHSA-r4hx-4864-rmcp",
"modified": "2026-04-28T15:30:34Z",
"published": "2023-11-13T21:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46802"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/product-reviews-import-export-for-woocommerce/vulnerability/wordpress-product-reviews-import-export-for-woocommerce-plugin-1-4-8-unauth-csv-injection-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/product-reviews-import-export-for-woocommerce/wordpress-product-reviews-import-export-for-woocommerce-plugin-1-4-8-unauth-csv-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No CAPEC attack patterns related to this CWE.