CWE-1236
AllowedImproper Neutralization of Formula Elements in a CSV File
Abstraction: Base · Status: Incomplete
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
401 vulnerabilities reference this CWE, most recent first.
GHSA-R4RP-M7M9-JRFV
Vulnerability from github – Published: 2024-10-18 09:31 – Updated: 2024-10-22 18:32There is a CSV injection vulnerability in some HikCentral Master Lite versions. If exploited, an attacker could build malicious data to generate executable commands in the CSV file.
{
"affected": [],
"aliases": [
"CVE-2024-47485"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-18T09:15:03Z",
"severity": "MODERATE"
},
"details": "There is a CSV injection vulnerability in some HikCentral Master Lite versions. If exploited, an attacker could build malicious data to generate executable commands in the CSV file.",
"id": "GHSA-r4rp-m7m9-jrfv",
"modified": "2024-10-22T18:32:05Z",
"published": "2024-10-18T09:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47485"
},
{
"type": "WEB",
"url": "https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-hikcentral-product-series"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R6XC-9724-9R8G
Vulnerability from github – Published: 2023-07-24 15:30 – Updated: 2024-04-04 06:19An issue was discovered in Nokia NetAct 22 through the Administration of Measurements website section. A malicious user can edit or add the templateName parameter in order to include malicious code, which is then downloaded as a .csv or .xlsx file and executed on a victim machine. Here, the /aom/html/EditTemplate.jsf and /aom/html/ViewAllTemplatesPage.jsf templateName parameter is used.
{
"affected": [],
"aliases": [
"CVE-2022-28864"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-24T14:15:10Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Nokia NetAct 22 through the Administration of Measurements website section. A malicious user can edit or add the templateName parameter in order to include malicious code, which is then downloaded as a .csv or .xlsx file and executed on a victim machine. Here, the /aom/html/EditTemplate.jsf and /aom/html/ViewAllTemplatesPage.jsf templateName parameter is used.",
"id": "GHSA-r6xc-9724-9r8g",
"modified": "2024-04-04T06:19:52Z",
"published": "2023-07-24T15:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28864"
},
{
"type": "WEB",
"url": "https://www.gruppotim.it/it/footer/red-team.html"
},
{
"type": "WEB",
"url": "https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R86Q-856P-4Q9Q
Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2023-01-30 18:30IBM Maximo Asset Management 7.6 is vulnerable to CSV injection, which could allow a remote authenticated attacker to execute arbirary commands on the system. IBM X-Force ID: 161680.
{
"affected": [],
"aliases": [
"CVE-2019-4364"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-19T14:15:00Z",
"severity": "HIGH"
},
"details": "IBM Maximo Asset Management 7.6 is vulnerable to CSV injection, which could allow a remote authenticated attacker to execute arbirary commands on the system. IBM X-Force ID: 161680.",
"id": "GHSA-r86q-856p-4q9q",
"modified": "2023-01-30T18:30:28Z",
"published": "2022-05-24T22:00:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4364"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/161680"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10887557"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108910"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RC4W-3H9Q-6XF9
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19An issue was discovered in Recon-ng before 4.9.5. Lack of validation in the modules/reporting/csv.py file allows CSV injection. More specifically, when a Twitter user possesses an Excel macro for a username, it will not be properly sanitized when exported to a CSV file. This can result in remote code execution for the attacker.
{
"affected": [],
"aliases": [
"CVE-2018-20752"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-04T21:29:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Recon-ng before 4.9.5. Lack of validation in the modules/reporting/csv.py file allows CSV injection. More specifically, when a Twitter user possesses an Excel macro for a username, it will not be properly sanitized when exported to a CSV file. This can result in remote code execution for the attacker.",
"id": "GHSA-rc4w-3h9q-6xf9",
"modified": "2022-05-13T01:19:56Z",
"published": "2022-05-13T01:19:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20752"
},
{
"type": "WEB",
"url": "https://bitbucket.org/LaNMaSteR53/recon-ng/commits/41e96fd58891439974fb0c920b349f8926c71d4c#chg-modules/reporting/csv.py"
},
{
"type": "WEB",
"url": "https://bitbucket.org/LaNMaSteR53/recon-ng/issues/285/csv-injection-vulnerability-identified-in"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RCQJ-85JM-WMW8
Vulnerability from github – Published: 2025-12-18 00:34 – Updated: 2025-12-18 00:34Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file.
{
"affected": [],
"aliases": [
"CVE-2023-53913"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-17T23:15:49Z",
"severity": "MODERATE"
},
"details": "Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file.",
"id": "GHSA-rcqj-85jm-wmw8",
"modified": "2025-12-18T00:34:07Z",
"published": "2025-12-18T00:34:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53913"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/51490"
},
{
"type": "WEB",
"url": "https://www.rukovoditel.net"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/rukovoditel-csv-injection-via-user-account-export"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RCXM-J6W4-FGVV
Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcyMailing extension before 5.9.6 for Joomla! via a value that is mishandled in a CSV export.
{
"affected": [],
"aliases": [
"CVE-2018-9107"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-28T04:29:00Z",
"severity": "HIGH"
},
"details": "CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcyMailing extension before 5.9.6 for Joomla! via a value that is mishandled in a CSV export.",
"id": "GHSA-rcxm-j6w4-fgvv",
"modified": "2022-05-13T01:21:05Z",
"published": "2022-05-13T01:21:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9107"
},
{
"type": "WEB",
"url": "https://vel.joomla.org/articles/2140-introducing-csv-injection"
},
{
"type": "WEB",
"url": "https://vel.joomla.org/resolved/2136-acymailing-5-9-5-csv-injection"
},
{
"type": "WEB",
"url": "https://www.acyba.com/acymailing/change-log.html"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44369"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RG8F-5P7X-M6WV
Vulnerability from github – Published: 2022-04-15 00:00 – Updated: 2025-05-30 14:07Lack of Neutralization of Formula Elements in the CSV API of MantisBT before 2.25.3 allows an unprivileged attacker to execute code or gain access to information when a user opens the csv_export.php generated CSV file in Excel.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.25.2"
},
"package": {
"ecosystem": "Packagist",
"name": "mantisbt/mantisbt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.25.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-43257"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-30T14:07:27Z",
"nvd_published_at": "2022-04-14T20:15:00Z",
"severity": "HIGH"
},
"details": "Lack of Neutralization of Formula Elements in the CSV API of MantisBT before 2.25.3 allows an unprivileged attacker to execute code or gain access to information when a user opens the csv_export.php generated CSV file in Excel.",
"id": "GHSA-rg8f-5p7x-m6wv",
"modified": "2025-05-30T14:07:27Z",
"published": "2022-04-15T00:00:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43257"
},
{
"type": "WEB",
"url": "https://github.com/mantisbt/mantisbt/commit/7f4534c723e3162b8784aebda4836324041dbc3e"
},
{
"type": "WEB",
"url": "https://github.com/mantisbt/mantisbt/commit/99eb8d41cbacc703f88807898dcc9ac55eec0f15"
},
{
"type": "PACKAGE",
"url": "https://github.com/mantisbt/mantisbt"
},
{
"type": "WEB",
"url": "https://www.mantisbt.org/bugs/view.php?id=29130"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "MantisBT CSV Injection unprivileged user access in csv_export.php"
}
GHSA-RJ5F-WJ63-XVGC
Vulnerability from github – Published: 2023-01-09 09:30 – Updated: 2023-01-12 21:30IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, 7.6.1.3 and the IBM Maximo Manage 8.3, 8.4 application in IBM Maximo Application Suite are vulnerable to CSV injection. IBM X-Force ID: 2306335.
{
"affected": [],
"aliases": [
"CVE-2022-35281"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-09T08:15:00Z",
"severity": "HIGH"
},
"details": "IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, 7.6.1.3 and the IBM Maximo Manage 8.3, 8.4 application in IBM Maximo Application Suite are vulnerable to CSV injection. IBM X-Force ID: 2306335.",
"id": "GHSA-rj5f-wj63-xvgc",
"modified": "2023-01-12T21:30:25Z",
"published": "2023-01-09T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35281"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/230635"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6852669"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RMCG-5MH4-47X7
Vulnerability from github – Published: 2024-11-12 21:30 – Updated: 2024-11-19 18:30An issue in Snipe-IT v.7.0.13 build 15514 allows a remote attacker to escalate privileges via the file /account/profile of the component "Name" field value under "Edit Your Profile".
{
"affected": [],
"aliases": [
"CVE-2024-51094"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-12T21:15:14Z",
"severity": "HIGH"
},
"details": "An issue in Snipe-IT v.7.0.13 build 15514 allows a remote attacker to escalate privileges via the file /account/profile of the component \"Name\" field value under \"Edit Your Profile\".",
"id": "GHSA-rmcg-5mh4-47x7",
"modified": "2024-11-19T18:30:54Z",
"published": "2024-11-12T21:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51094"
},
{
"type": "WEB",
"url": "https://gist.githubusercontent.com/Tommywarren/b3a6c6ae5a93dd67c863313f71f53a76/raw/ddff8cbbab5179f680ba3f5e94fc080575ad8913/CVE-2024-51094"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RQQH-WQ9C-MQ63
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28A CSV Injection (also known as Formula Injection) vulnerability in the Marmind web application with version 4.1.141.0 allows malicious users to gain remote control of other computers. By providing formula code in the “Notes” functionality in the main screen, an attacker can inject a payload into the “Description” field under the “Insert To-Do” option. Other users might download this data, for example a CSV file, and execute the malicious commands on their computer by opening the file using a software such as Microsoft Excel. The attacker could gain remote access to the user’s PC.
{
"affected": [],
"aliases": [
"CVE-2020-26507"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-05T18:15:00Z",
"severity": "HIGH"
},
"details": "A CSV Injection (also known as Formula Injection) vulnerability in the Marmind web application with version 4.1.141.0 allows malicious users to gain remote control of other computers. By providing formula code in the \u201cNotes\u201d functionality in the main screen, an attacker can inject a payload into the \u201cDescription\u201d field under the \u201cInsert To-Do\u201d option. Other users might download this data, for example a CSV file, and execute the malicious commands on their computer by opening the file using a software such as Microsoft Excel. The attacker could gain remote access to the user\u2019s PC.",
"id": "GHSA-rqqh-wq9c-mq63",
"modified": "2022-05-24T22:28:57Z",
"published": "2022-05-24T22:28:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26507"
},
{
"type": "WEB",
"url": "https://www.marmind.com/en"
},
{
"type": "WEB",
"url": "https://www2.deloitte.com/de/de/pages/risk/articles/marmind-csv-injection.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No CAPEC attack patterns related to this CWE.