Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-VWQW-277X-QQ2J

Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2023-02-24 21:30
VLAI
Details

The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnerable to CSV Injection as it allows for injecting malicious code into a pop-up window. Successful exploitation grants an attacker with a right to execute malicious code on the administrator's computer through Excel functions as the plugin does not sanitize the user's input and allows insertion of any text.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11872"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-29T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnerable to CSV Injection as it allows for injecting malicious code into a pop-up window. Successful exploitation grants an attacker with a right to execute malicious code on the administrator\u0027s computer through Excel functions as the plugin does not sanitize the user\u0027s input and allows insertion of any text.",
  "id": "GHSA-vwqw-277x-qq2j",
  "modified": "2023-02-24T21:30:19Z",
  "published": "2022-05-24T16:46:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11872"
    },
    {
      "type": "WEB",
      "url": "https://blog.reddy.io/2019/05/24/reddy-solutions-found-a-csv-injection-vulnerability-in-hustle-wordpress-plugin"
    },
    {
      "type": "WEB",
      "url": "https://blog.reddy.io/category/cybersecurity"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/wordpress-popup/#developers"
    },
    {
      "type": "WEB",
      "url": "https://wpvulndb.com/vulnerabilities/9326"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W3W2-8HQ7-8FMW

Vulnerability from github – Published: 2022-11-21 12:30 – Updated: 2022-11-23 18:30
VLAI
Details

The Easy Digital Downloads WordPress plugin before 3.1.0.2 does not validate data when its output in a CSV file, which could lead to CSV injection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3600"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-21T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The Easy Digital Downloads WordPress plugin before 3.1.0.2 does not validate data when its output in a CSV file, which could lead to CSV injection.",
  "id": "GHSA-w3w2-8hq7-8fmw",
  "modified": "2022-11-23T18:30:28Z",
  "published": "2022-11-21T12:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3600"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/16e2d970-19d0-42d1-8fb1-e7cb14ace1d0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W8PH-83JM-G88M

Vulnerability from github – Published: 2024-03-21 03:36 – Updated: 2024-03-21 03:36
VLAI
Details

IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 259354.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35899"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-21T02:47:58Z",
    "severity": "HIGH"
  },
  "details": "IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents.  IBM X-Force ID:  259354.",
  "id": "GHSA-w8ph-83jm-g88m",
  "modified": "2024-03-21T03:36:45Z",
  "published": "2024-03-21T03:36:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35899"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/259354"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7030357"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W9QH-PVX2-RHMH

Vulnerability from github – Published: 2022-06-03 00:00 – Updated: 2022-06-14 00:00
VLAI
Details

PowerStore SW v2.1.1.0 supports the option to export data to either a CSV or an XLSX file. The data is taken as is, without any validation or sanitization. It allows a malicious, authenticated user to inject payloads that might get interpreted as formulas by the corresponding spreadsheet application that is being used to open the CSV/XLSX file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-02T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "PowerStore SW v2.1.1.0 supports the option to export data to either a CSV or an XLSX file. The data is taken as is, without any validation or sanitization. It allows a malicious, authenticated user to inject payloads that might get interpreted as formulas by the corresponding spreadsheet application that is being used to open the CSV/XLSX file.",
  "id": "GHSA-w9qh-pvx2-rhmh",
  "modified": "2022-06-14T00:00:29Z",
  "published": "2022-06-03T00:00:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26867"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/000196367"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WC29-X275-PGCQ

Vulnerability from github – Published: 2022-11-09 12:00 – Updated: 2022-11-09 19:02
VLAI
Details

CSV Injection vulnerability in Activity Log Team Activity Log <= 2.8.3 on WordPress.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-27858"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236",
      "CWE-74"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-08T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "CSV Injection vulnerability in Activity Log Team Activity Log \u003c= 2.8.3 on WordPress.",
  "id": "GHSA-wc29-x275-pgcq",
  "modified": "2022-11-09T19:02:26Z",
  "published": "2022-11-09T12:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27858"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/aryo-activity-log/wordpress-activity-log-plugin-2-8-3-csv-injection-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/aryo-activity-log/#developers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WC34-P4FH-WR9Q

Vulnerability from github – Published: 2025-07-31 21:31 – Updated: 2026-01-12 09:30
VLAI
Details

An issue was discovered in Archer Technology RSA Archer 6.11.00204.10014 allowing attackers to execute arbitrary code via crafted system inputs that would be exported into the CSV and be executed after the user opened the file with compatible applications.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-50572"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-31T20:15:43Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Archer Technology RSA Archer 6.11.00204.10014 allowing attackers to execute arbitrary code via crafted system inputs that would be exported into the CSV and be executed after the user opened the file with compatible applications.",
  "id": "GHSA-wc34-p4fh-wr9q",
  "modified": "2026-01-12T09:30:30Z",
  "published": "2025-07-31T21:31:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50572"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shorooq-hummdi/Archer-csv-injection-command-exec/blob/main/README.md"
    },
    {
      "type": "WEB",
      "url": "https://www.archerirm.community/s/blogs/formula-injection-into-csv-files-vulnerability-in-rsa-archer-6-1-x-and-higher-MCOCQFO3WCQBCCHMKNC74JGSFWQY"
    },
    {
      "type": "WEB",
      "url": "http://archer.com"
    },
    {
      "type": "WEB",
      "url": "http://rsa.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WHXV-P57P-V97W

Vulnerability from github – Published: 2022-09-25 00:00 – Updated: 2022-09-28 00:00
VLAI
Details

Authenticated (author+) CSV Injection vulnerability in Export Post Info plugin <= 1.2.0 at WordPress.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38061"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-23T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Authenticated (author+) CSV Injection vulnerability in Export Post Info plugin \u003c= 1.2.0 at WordPress.",
  "id": "GHSA-whxv-p57p-v97w",
  "modified": "2022-09-28T00:00:24Z",
  "published": "2022-09-25T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38061"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/export-post-info/wordpress-export-post-info-plugin-1-2-0-authenticated-csv-injection-vulnerability/_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/export-post-info/#developers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WP6X-2JJ2-VXHW

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12
VLAI
Details

Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27020"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-30T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export.",
  "id": "GHSA-wp6x-2jj2-vxhw",
  "modified": "2022-05-24T19:12:28Z",
  "published": "2022-05-24T19:12:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27020"
    },
    {
      "type": "WEB",
      "url": "https://puppet.com/security/cve/CVE-2021-27020"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WP9X-2QX4-MFCG

Vulnerability from github – Published: 2022-10-25 19:00 – Updated: 2022-10-26 12:00
VLAI
Details

The Post to CSV by BestWebSoft WordPress plugin through 1.4.0 does not properly escape fields when exporting data as CSV, leading to a CSV injection

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3393"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-25T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The Post to CSV by BestWebSoft WordPress plugin through 1.4.0 does not properly escape fields when exporting data as CSV, leading to a CSV injection",
  "id": "GHSA-wp9x-2qx4-mfcg",
  "modified": "2022-10-26T12:00:30Z",
  "published": "2022-10-25T19:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3393"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/689b4c42-c516-4c57-8ec7-3a6f12a3594e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQ79-2F22-34W5

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34
VLAI
Details

IBM FileNet Content Manager 5.5.4 and 5.5.5 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 188736.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-4759"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-09T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM FileNet Content Manager 5.5.4 and 5.5.5 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 188736.",
  "id": "GHSA-wq79-2f22-34w5",
  "modified": "2022-05-24T17:34:05Z",
  "published": "2022-05-24T17:34:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4759"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/188736"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6336917"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.