Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-1236
Improper Neutralization of Formula Elements in a CSV File
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
CVE-2026-41073 (GCVE-0-2026-41073)
Vulnerability from cvelistv5 – Published: 2026-05-22 21:10 – Updated: 2026-05-23 02:57
VLAI
Title
RT: Spreadsheet downloads vulnerable to CSV/formula injection in Microsoft Excel and similar apps
Summary
RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input.
Severity
4.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/bestpractical/rt/security/advi… | x_refsource_CONFIRM |
| https://github.com/bestpractical/rt/releases/tag/… | x_refsource_MISC |
| https://github.com/bestpractical/rt/releases/tag/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| bestpractical | rt |
Affected:
< 5.0.10
Affected: >= 6.0.0, < 6.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41073",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-23T02:57:10.802457Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T02:57:38.966Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rt",
"vendor": "bestpractical",
"versions": [
{
"status": "affected",
"version": "\u003c 5.0.10"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T21:10:22.249Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bestpractical/rt/security/advisories/GHSA-6x92-7v65-7m3r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bestpractical/rt/security/advisories/GHSA-6x92-7v65-7m3r"
},
{
"name": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10"
},
{
"name": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3"
}
],
"source": {
"advisory": "GHSA-6x92-7v65-7m3r",
"discovery": "UNKNOWN"
},
"title": "RT: Spreadsheet downloads vulnerable to CSV/formula injection in Microsoft Excel and similar apps"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41073",
"datePublished": "2026-05-22T21:10:22.249Z",
"dateReserved": "2026-04-16T16:43:03.174Z",
"dateUpdated": "2026-05-23T02:57:38.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42267 (GCVE-0-2026-42267)
Vulnerability from cvelistv5 – Published: 2026-05-08 03:28 – Updated: 2026-05-08 12:58
VLAI
Title
Kimai: Formula Injection via tag names in XLSX export
Summary
Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue() joins tag names with implode() and returns the result unchanged. OpenSpout promotes any =-prefixed string to a FormulaCell, writing <f>SUM(54+51)</f> into the XLSX archive. Excel evaluates the formula when the file is opened. This issue has been patched in version 2.54.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/kimai/kimai/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/kimai/kimai/releases/tag/2.54.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42267",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T12:57:49.978866Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T12:58:12.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-3xc2-h5r3-wv3r"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kimai",
"vendor": "kimai",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.27.0, \u003c 2.54.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue() joins tag names with implode() and returns the result unchanged. OpenSpout promotes any =-prefixed string to a FormulaCell, writing \u003cf\u003eSUM(54+51)\u003c/f\u003e into the XLSX archive. Excel evaluates the formula when the file is opened. This issue has been patched in version 2.54.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T03:28:52.226Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kimai/kimai/security/advisories/GHSA-3xc2-h5r3-wv3r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-3xc2-h5r3-wv3r"
},
{
"name": "https://github.com/kimai/kimai/releases/tag/2.54.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kimai/kimai/releases/tag/2.54.0"
}
],
"source": {
"advisory": "GHSA-3xc2-h5r3-wv3r",
"discovery": "UNKNOWN"
},
"title": "Kimai: Formula Injection via tag names in XLSX export"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42267",
"datePublished": "2026-05-08T03:28:52.226Z",
"dateReserved": "2026-04-26T11:53:27.706Z",
"dateUpdated": "2026-05-08T12:58:12.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5242 (GCVE-0-2026-5242)
Vulnerability from cvelistv5 – Published: 2026-06-15 12:47 – Updated: 2026-06-15 15:59
VLAI
Title
Code Injection in Mia Technologies' Pizzy Library
Summary
Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc. Pizzy Library allows Code Injection.
This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1236 - Improper neutralization of formula elements in a CSV file
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://siberguvenlik.gov.tr/guvenlik-bildirimler… | government-resource |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MIA Technology Inc. | Pizzy Library |
Affected:
1.0.0.26250 , < 1.3.9.26250
(custom)
|
Date Public
2026-06-15 12:44
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5242",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T15:58:47.887349Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T15:59:03.264Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pizzy Library",
"vendor": "MIA Technology Inc.",
"versions": [
{
"lessThan": "1.3.9.26250",
"status": "affected",
"version": "1.0.0.26250",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ahmet DURMU\u015e"
},
{
"lang": "en",
"type": "sponsor",
"value": "STM Savunma Teknolojileri M\u00fchendislik ve Ticaret A.\u015e."
}
],
"datePublic": "2026-06-15T12:44:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc. Pizzy Library allows Code Injection.\u003cp\u003eThis issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.\u003c/p\u003e"
}
],
"value": "Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc. Pizzy Library allows Code Injection.\n\nThis issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236 Improper neutralization of formula elements in a CSV file",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T13:47:05.726Z",
"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"shortName": "TR-CERT"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0383"
}
],
"source": {
"advisory": "TR-26-0383",
"defect": [
"TR-26-0383"
],
"discovery": "UNKNOWN"
},
"title": "Code Injection in Mia Technologies\u0027 Pizzy Library",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"assignerShortName": "TR-CERT",
"cveId": "CVE-2026-5242",
"datePublished": "2026-06-15T12:47:51.609Z",
"dateReserved": "2026-03-31T14:31:37.706Z",
"dateUpdated": "2026-06-15T15:59:03.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Implementation
Description:
- When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation
Phase: Implementation
Description:
- If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation
Phase: Architecture and Design
Description:
- Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No CAPEC attack patterns related to this CWE.