CWE-1236
AllowedImproper Neutralization of Formula Elements in a CSV File
Abstraction: Base · Status: Incomplete
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
401 vulnerabilities reference this CWE, most recent first.
GHSA-RQXC-9P8H-XQGQ
Vulnerability from github – Published: 2023-12-24 06:30 – Updated: 2023-12-28 18:45Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-xhvv-3jww-c487. This link is maintained to preserve external references.
Original Description
csv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 allows CSV injection.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "activeadmin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-27T15:07:14Z",
"nvd_published_at": "2023-12-24T04:15:07Z",
"severity": "HIGH"
},
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-xhvv-3jww-c487. This link is maintained to preserve external references.\n\n## Original Description\ncsv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 allows CSV injection.",
"id": "GHSA-rqxc-9p8h-xqgq",
"modified": "2023-12-28T18:45:19Z",
"published": "2023-12-24T06:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51763"
},
{
"type": "WEB",
"url": "https://github.com/activeadmin/activeadmin/pull/8161"
},
{
"type": "WEB",
"url": "https://github.com/activeadmin/activeadmin/commit/697be2b183491beadc8f0b7d8b5bfb44f2387909"
},
{
"type": "PACKAGE",
"url": "https://github.com/activeadmin/activeadmin"
},
{
"type": "WEB",
"url": "https://github.com/activeadmin/activeadmin/releases/tag/v3.2.0"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-rqxc-9p8h-xqgq"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activeadmin/CVE-2023-51763.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: ActiveAdmin vulnerable to CSV injection",
"withdrawn": "2023-12-28T18:45:19Z"
}
GHSA-RW22-Q8XF-9QV3
Vulnerability from github – Published: 2022-05-13 01:20 – Updated: 2022-05-13 01:20Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as demonstrated by an "=cmd|' /C calc'!A0" payload during User Creation.
{
"affected": [],
"aliases": [
"CVE-2018-7304"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-21T20:29:00Z",
"severity": "HIGH"
},
"details": "Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as demonstrated by an \"=cmd|\u0027 /C calc\u0027!A0\" payload during User Creation.",
"id": "GHSA-rw22-q8xf-9qv3",
"modified": "2022-05-13T01:20:34Z",
"published": "2022-05-13T01:20:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7304"
},
{
"type": "WEB",
"url": "https://websecnerd.blogspot.in/2018/01/tiki-wiki-cms-groupware-17.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RWR5-X2HJ-VJ32
Vulnerability from github – Published: 2025-01-14 15:30 – Updated: 2025-07-16 15:32An improper neutralization of formula elements in a csv file in Fortinet FortiSOAR 7.2.1 through 7.4.1 allows attacker to execute unauthorized code or commands via manipulating csv file
{
"affected": [],
"aliases": [
"CVE-2024-47572"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-14T14:15:32Z",
"severity": "CRITICAL"
},
"details": "An improper neutralization of formula elements in a csv file in Fortinet FortiSOAR 7.2.1 through 7.4.1 allows attacker to execute unauthorized code or commands via manipulating csv file",
"id": "GHSA-rwr5-x2hj-vj32",
"modified": "2025-07-16T15:32:05Z",
"published": "2025-01-14T15:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47572"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-210"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RX9F-2J6Q-9PFF
Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 15:30Improper Neutralization of Formula Elements in a CSV File vulnerability in Paul Ryley Site Reviews.This issue affects Site Reviews: from n/a through 6.2.0.
{
"affected": [],
"aliases": [
"CVE-2022-46801"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T17:15:08Z",
"severity": "CRITICAL"
},
"details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Paul Ryley Site Reviews.This issue affects Site Reviews: from n/a through 6.2.0.",
"id": "GHSA-rx9f-2j6q-9pff",
"modified": "2026-04-28T15:30:34Z",
"published": "2023-11-07T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46801"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/site-reviews/vulnerability/wordpress-site-reviews-plugin-6-2-0-unauth-csv-injection-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/site-reviews/wordpress-site-reviews-plugin-6-2-0-unauth-csv-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V5GW-52QQ-F42H
Vulnerability from github – Published: 2025-02-20 18:31 – Updated: 2025-11-04 21:31PHPJabbers Bus Reservation System v1.1 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.
{
"affected": [],
"aliases": [
"CVE-2023-51319"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-20T16:15:34Z",
"severity": "HIGH"
},
"details": "PHPJabbers Bus Reservation System v1.1 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.",
"id": "GHSA-v5gw-52qq-f42h",
"modified": "2025-11-04T21:31:30Z",
"published": "2025-02-20T18:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51319"
},
{
"type": "WEB",
"url": "https://packetstorm.news/files/id/176500"
},
{
"type": "WEB",
"url": "https://www.phpjabbers.com/bus-reservation-system/#sectionDemo"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/176500/PHPJabbers-Bus-Reservation-System-1.1-CSV-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V6V8-VP6W-87V3
Vulnerability from github – Published: 2023-12-29 06:30 – Updated: 2024-01-08 15:30CSV Injection vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to obtain sensitive information via the User Profile field.
{
"affected": [],
"aliases": [
"CVE-2023-31295"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-29T06:15:43Z",
"severity": "HIGH"
},
"details": "CSV Injection vulnerability in Sesami Cash Point \u0026 Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to obtain sensitive information via the User Profile field.",
"id": "GHSA-v6v8-vp6w-87v3",
"modified": "2024-01-08T15:30:26Z",
"published": "2023-12-29T06:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31295"
},
{
"type": "WEB",
"url": "https://herolab.usd.de/en/security-advisories/usd-2022-0053"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VFRW-M2C3-HH6G
Vulnerability from github – Published: 2023-11-15 15:30 – Updated: 2026-04-28 15:30Improper Neutralization of Formula Elements in a CSV File vulnerability in AyeCode Ltd UsersWP.This issue affects UsersWP: from n/a through 1.2.3.9.
{
"affected": [],
"aliases": [
"CVE-2022-47442"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T15:15:10Z",
"severity": "HIGH"
},
"details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in AyeCode Ltd UsersWP.This issue affects UsersWP: from n/a through 1.2.3.9.",
"id": "GHSA-vfrw-m2c3-hh6g",
"modified": "2026-04-28T15:30:34Z",
"published": "2023-11-15T15:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47442"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/userswp/vulnerability/wordpress-userswp-front-end-login-form-user-registration-user-profile-members-directory-plugin-for-wordpress-plugin-1-2-3-9-csv-injection?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/userswp/wordpress-userswp-front-end-login-form-user-registration-user-profile-members-directory-plugin-for-wordpress-plugin-1-2-3-9-csv-injection?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJ22-XMP8-4MF5
Vulnerability from github – Published: 2022-12-12 18:30 – Updated: 2022-12-15 18:30The WP CSV Exporter WordPress plugin before 1.3.7 does not properly escape the fields when exporting data as CSV, leading to a CSV injection vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-3605"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-12T18:15:00Z",
"severity": "HIGH"
},
"details": "The WP CSV Exporter WordPress plugin before 1.3.7 does not properly escape the fields when exporting data as CSV, leading to a CSV injection vulnerability.",
"id": "GHSA-vj22-xmp8-4mf5",
"modified": "2022-12-15T18:30:17Z",
"published": "2022-12-12T18:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3605"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/28ecdf61-e478-42c3-87c0-80a9912eadb2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VM5F-653C-MWV3
Vulnerability from github – Published: 2026-05-11 12:32 – Updated: 2026-05-11 12:32Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper neutralization of formula elements in a CSV File vulnerability in the UI. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to remote execution.
{
"affected": [],
"aliases": [
"CVE-2026-35157"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-11T10:16:13Z",
"severity": "MODERATE"
},
"details": "Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper neutralization of formula elements in a CSV File vulnerability in the UI. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to remote execution.",
"id": "GHSA-vm5f-653c-mwv3",
"modified": "2026-05-11T12:32:31Z",
"published": "2026-05-11T12:32:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35157"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000462117/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VM5P-28RV-RR68
Vulnerability from github – Published: 2022-11-21 18:30 – Updated: 2022-11-23 15:30Sourcecodester Event Registration App v1.0 was discovered to contain multiple CSV injection vulnerabilities via the First Name, Contact and Remarks fields. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file.
{
"affected": [],
"aliases": [
"CVE-2022-44830"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-21T18:15:00Z",
"severity": "HIGH"
},
"details": "Sourcecodester Event Registration App v1.0 was discovered to contain multiple CSV injection vulnerabilities via the First Name, Contact and Remarks fields. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file.",
"id": "GHSA-vm5p-28rv-rr68",
"modified": "2022-11-23T15:30:22Z",
"published": "2022-11-21T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44830"
},
{
"type": "WEB",
"url": "https://github.com/RashidKhanPathan/CVE-2022-44830"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No CAPEC attack patterns related to this CWE.