CWE-1236
AllowedImproper Neutralization of Formula Elements in a CSV File
Abstraction: Base · Status: Incomplete
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
401 vulnerabilities reference this CWE, most recent first.
GHSA-WR7V-H9P2-5FR6
Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 21:33Improper Neutralization of Formula Elements in a CSV File vulnerability in Icegram Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce.This issue affects Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce: from n/a through 5.5.2.
{
"affected": [],
"aliases": [
"CVE-2022-45810"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T17:15:08Z",
"severity": "CRITICAL"
},
"details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Icegram Icegram Express \u2013 Email Marketing, Newsletters and Automation for WordPress \u0026 WooCommerce.This issue affects Icegram Express \u2013 Email Marketing, Newsletters and Automation for WordPress \u0026 WooCommerce: from n/a through 5.5.2.",
"id": "GHSA-wr7v-h9p2-5fr6",
"modified": "2026-04-28T21:33:02Z",
"published": "2023-11-07T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45810"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/email-subscribers/vulnerability/wordpress-icegram-express-email-subscribers-newsletters-and-marketing-automation-plugin-plugin-5-5-2-csv-injection?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/email-subscribers/wordpress-icegram-express-email-subscribers-newsletters-and-marketing-automation-plugin-plugin-5-5-2-csv-injection?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WX87-PJ46-74F6
Vulnerability from github – Published: 2022-06-08 00:00 – Updated: 2022-06-15 00:00A vulnerability, which was classified as critical, has been found in SevOne Network Management System up to 5.7.2.22. This issue affects the Device Manager Page. An injection leads to privilege escalation. The attack may be initiated remotely.
{
"affected": [],
"aliases": [
"CVE-2020-36531"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-07T18:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability, which was classified as critical, has been found in SevOne Network Management System up to 5.7.2.22. This issue affects the Device Manager Page. An injection leads to privilege escalation. The attack may be initiated remotely.",
"id": "GHSA-wx87-pj46-74f6",
"modified": "2022-06-15T00:00:23Z",
"published": "2022-06-08T00:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36531"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.162263"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/Oct/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X232-X9VJ-7XWQ
Vulnerability from github – Published: 2023-08-28 03:30 – Updated: 2024-04-04 07:13IBM InfoSphere Information Server 11.7 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 244368.
{
"affected": [],
"aliases": [
"CVE-2023-22877"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-28T01:15:07Z",
"severity": "HIGH"
},
"details": "IBM InfoSphere Information Server 11.7 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 244368.",
"id": "GHSA-x232-x9vj-7xwq",
"modified": "2024-04-04T07:13:44Z",
"published": "2023-08-28T03:30:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22877"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/244368"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6988623"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X2H4-97PF-V2RR
Vulnerability from github – Published: 2026-01-27 18:32 – Updated: 2026-01-27 18:32Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in spreadsheet applications.
{
"affected": [],
"aliases": [
"CVE-2020-36941"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-27T16:16:11Z",
"severity": "MODERATE"
},
"details": "Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in spreadsheet applications.",
"id": "GHSA-x2h4-97pf-v2rr",
"modified": "2026-01-27T18:32:13Z",
"published": "2026-01-27T18:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36941"
},
{
"type": "WEB",
"url": "https://github.com/guelfoweb/knock"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49342"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/knockpy-csv-injection"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-X2V3-9P22-W3X6
Vulnerability from github – Published: 2025-12-18 00:34 – Updated: 2026-01-02 15:47phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV file.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "thorsten/phpmyfaq"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.1.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpmyfaq/phpmyfaq"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.1.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-53929"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-02T15:47:39Z",
"nvd_published_at": "2025-12-17T23:15:52Z",
"severity": "MODERATE"
},
"details": "phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like \u0027calc|a!z|\u0027 to trigger code execution when an administrator exports user data as a CSV file.",
"id": "GHSA-x2v3-9p22-w3x6",
"modified": "2026-01-02T15:47:39Z",
"published": "2025-12-18T00:34:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53929"
},
{
"type": "PACKAGE",
"url": "https://github.com/thorsten/phpMyFAQ"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/51399"
},
{
"type": "WEB",
"url": "https://www.phpmyfaq.de"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/phpmyfaq-csv-injection-via-user-profile-export"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "phpMyFAQ contains a CSV injection vulnerability"
}
GHSA-X53X-G43Q-33F7
Vulnerability from github – Published: 2026-06-04 12:30 – Updated: 2026-06-04 12:30HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .
{
"affected": [],
"aliases": [
"CVE-2025-52612"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T12:16:24Z",
"severity": "HIGH"
},
"details": "HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .",
"id": "GHSA-x53x-g43q-33f7",
"modified": "2026-06-04T12:30:26Z",
"published": "2026-06-04T12:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52612"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131041"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X63R-X798-GV8P
Vulnerability from github – Published: 2022-05-24 17:11 – Updated: 2022-05-24 17:11admin/include/operations.php (via admin/email-harvester.php) in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject untrusted input inside CSV files via the POST parameter data.
{
"affected": [],
"aliases": [
"CVE-2020-10460"
],
"database_specific": {
"cwe_ids": [
"CWE-1236",
"CWE-74"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-12T14:15:00Z",
"severity": "MODERATE"
},
"details": "admin/include/operations.php (via admin/email-harvester.php) in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject untrusted input inside CSV files via the POST parameter data.",
"id": "GHSA-x63r-x798-gv8p",
"modified": "2022-05-24T17:11:14Z",
"published": "2022-05-24T17:11:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10460"
},
{
"type": "WEB",
"url": "https://antoniocannito.it/phpkb1#csv-injection-cve-2020-10460"
},
{
"type": "WEB",
"url": "http://antoniocannito.it/?p=137#csvinj"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X6C4-GW3R-222G
Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2022-07-30 00:00The Exports and Reports WordPress plugin before 0.9.2 does not sanitize and validate data when generating the CSV to export, which could lead to a CSV injection, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks.
{
"affected": [],
"aliases": [
"CVE-2022-1539"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-25T13:15:00Z",
"severity": "HIGH"
},
"details": "The Exports and Reports WordPress plugin before 0.9.2 does not sanitize and validate data when generating the CSV to export, which could lead to a CSV injection, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks.",
"id": "GHSA-x6c4-gw3r-222g",
"modified": "2022-07-30T00:00:35Z",
"published": "2022-07-26T00:01:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1539"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/50f70927-9677-4ba4-a388-0a41ed356523"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X7G4-2JWR-PR3R
Vulnerability from github – Published: 2025-11-28 15:30 – Updated: 2025-11-28 18:30CSV formula injection vulnerability in HCL Technologies Ltd. Unica 12.0.0.
{
"affected": [],
"aliases": [
"CVE-2025-51735"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-28T15:16:01Z",
"severity": "HIGH"
},
"details": "CSV formula injection vulnerability in HCL Technologies Ltd. Unica 12.0.0.",
"id": "GHSA-x7g4-2jwr-pr3r",
"modified": "2025-11-28T18:30:23Z",
"published": "2025-11-28T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51735"
},
{
"type": "WEB",
"url": "https://gist.github.com/ikpehlivan/4361fa808e04d884e4771be88e891ec2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X963-3P8C-J4M6
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2024-03-21 03:34A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file.
{
"affected": [],
"aliases": [
"CVE-2021-33256"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-09T14:15:00Z",
"severity": "HIGH"
},
"details": "A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports \"User Attempts Audit Report\" as CSV file.",
"id": "GHSA-x963-3p8c-j4m6",
"modified": "2024-03-21T03:34:05Z",
"published": "2022-05-24T19:10:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33256"
},
{
"type": "WEB",
"url": "https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injection"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No CAPEC attack patterns related to this CWE.