CWE-1236
AllowedImproper Neutralization of Formula Elements in a CSV File
Abstraction: Base · Status: Incomplete
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
401 vulnerabilities reference this CWE, most recent first.
GHSA-46X4-34F2-J42G
Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2024-02-14 18:30A CSV injection in the codepress-admin-columns (aka Admin Columns) plugin 3.4.6 for WordPress allows malicious users to gain remote control of other computers. By choosing formula code as his first or last name, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC.
{
"affected": [],
"aliases": [
"CVE-2019-17661"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-08T18:15:00Z",
"severity": "HIGH"
},
"details": "A CSV injection in the codepress-admin-columns (aka Admin Columns) plugin 3.4.6 for WordPress allows malicious users to gain remote control of other computers. By choosing formula code as his first or last name, an attacker can create a user with a name that contains malicious code. Other users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user\u0027s PC.",
"id": "GHSA-46x4-34f2-j42g",
"modified": "2024-02-14T18:30:24Z",
"published": "2022-05-24T22:01:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17661"
},
{
"type": "WEB",
"url": "https://www2.deloitte.com/de/de/pages/risk/articles/wordpress-csv-injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4C36-3WHG-3PPX
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
{
"affected": [],
"aliases": [
"CVE-2018-10257"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-01T19:29:00Z",
"severity": "HIGH"
},
"details": "A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.",
"id": "GHSA-4c36-3whg-3ppx",
"modified": "2022-05-13T01:18:49Z",
"published": "2022-05-13T01:18:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10257"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44536"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/147364/HRSALE-The-Ultimate-HRM-1.0.2-CSV-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4FC7-7QM8-3HR4
Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21Open-AudIT before 2.2 has CSV Injection.
{
"affected": [],
"aliases": [
"CVE-2018-9137"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-19T08:29:00Z",
"severity": "MODERATE"
},
"details": "Open-AudIT before 2.2 has CSV Injection.",
"id": "GHSA-4fc7-7qm8-3hr4",
"modified": "2022-05-13T01:21:05Z",
"published": "2022-05-13T01:21:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9137"
},
{
"type": "WEB",
"url": "https://community.opmantek.com/display/OA/Errata+-+2.1+Security+Update%2C+April+2018"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44511"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4FGP-7VVM-M4JF
Vulnerability from github – Published: 2024-09-12 15:33 – Updated: 2024-09-20 19:16An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "refuel-autolabel"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.8"
},
{
"last_affected": "0.0.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-27321"
],
"database_specific": {
"cwe_ids": [
"CWE-1236",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-12T19:49:50Z",
"nvd_published_at": "2024-09-12T13:15:12Z",
"severity": "HIGH"
},
"details": "An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.",
"id": "GHSA-4fgp-7vvm-m4jf",
"modified": "2024-09-20T19:16:57Z",
"published": "2024-09-12T15:33:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27321"
},
{
"type": "PACKAGE",
"url": "https://github.com/refuel-ai/autolabel"
},
{
"type": "WEB",
"url": "https://github.com/refuel-ai/autolabel/blob/v0.0.16/src/autolabel/dataset/validation.py#L129-L146"
},
{
"type": "WEB",
"url": "https://hiddenlayer.com/sai-security-advisory/2024-09-autolabel"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Refuel Autolab Eval Injection vulnerability"
}
GHSA-4HVR-HGMW-438R
Vulnerability from github – Published: 2023-07-19 00:31 – Updated: 2024-04-04 06:16A CSV injection vulnerability was found in the Avaya Call Management System (CMS) Supervisor web application which allows a user with administrative privileges to input crafted data which, when exported to a CSV file, may attempt arbitrary command execution on the system used to open the file by a spreadsheet software
such as Microsoft Excel.
{
"affected": [],
"aliases": [
"CVE-2023-3527"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-18T22:15:09Z",
"severity": "MODERATE"
},
"details": "A CSV injection vulnerability was found in the\u00a0Avaya Call Management System (CMS) Supervisor web application which allows a user with administrative privileges to input crafted data which, when exported to a CSV file, may attempt arbitrary command execution on the system used to open the file by a spreadsheet software \n\nsuch as Microsoft Excel.\n\n\u00a0\n\n",
"id": "GHSA-4hvr-hgmw-438r",
"modified": "2024-04-04T06:16:36Z",
"published": "2023-07-19T00:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3527"
},
{
"type": "WEB",
"url": "https://download.avaya.com/css/public/documents/101086364"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-4P76-GP5V-JC39
Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2022-09-21 00:00The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-1194"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-16T09:15:00Z",
"severity": "HIGH"
},
"details": "The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability.",
"id": "GHSA-4p76-gp5v-jc39",
"modified": "2022-09-21T00:00:46Z",
"published": "2022-09-17T00:00:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1194"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/62be0991-f095-43cf-a167-3daaed254594"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4Q3W-JGFX-4792
Vulnerability from github – Published: 2026-01-28 18:30 – Updated: 2026-06-09 20:50Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tendenci"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "12.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-36962"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-09T20:50:33Z",
"nvd_published_at": "2026-01-28T18:16:46Z",
"severity": "MODERATE"
},
"details": "Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like \u0027=10+20+cmd|\u0027 /C calc\u0027!A0\u0027 in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications.",
"id": "GHSA-4q3w-jgfx-4792",
"modified": "2026-06-09T20:50:33Z",
"published": "2026-01-28T18:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36962"
},
{
"type": "WEB",
"url": "https://github.com/tendenci/tendenci/commit/3e37622cac81440c5a1f97c39f112a2cf4a5450c"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tendenci/PYSEC-2026-136.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tendenci/tendenci"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49145"
},
{
"type": "WEB",
"url": "https://www.tendenci.com"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/tendenci-csv-formula-injection"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Tendenci is Vulnerable to CSV Formula Injection through its Contact Form Message Field "
}
GHSA-4VXW-8XM6-P5Q8
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure.
{
"affected": [],
"aliases": [
"CVE-2021-25960"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-29T14:15:00Z",
"severity": "HIGH"
},
"details": "In \u201cSuiteCRM\u201d application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by \u201cCSV Injection\u201d vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. This was not fixed properly as part of CVE-2020-15301, allowing the attacker to bypass the security measure.",
"id": "GHSA-4vxw-8xm6-p5q8",
"modified": "2022-05-24T22:28:13Z",
"published": "2022-05-24T22:28:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25960"
},
{
"type": "WEB",
"url": "https://github.com/salesagility/SuiteCRM/commit/7124482fe07ee164923d974456ed31e45f65e513"
},
{
"type": "WEB",
"url": "https://github.com/salesagility/SuiteCRM/commit/f463031bee59676d7d5be53bb32d551cd70a5648"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25960"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4W78-H86P-3C63
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19IBM API Connect 5.0.0.0, 5.0.8.4, 2018.1 and 2018.3.6 is vulnerable to CSV injection via the developer portal and analytics that could contain malicious commands that would be executed once opened by an administrator. IBM X-Force ID: 148692.
{
"affected": [],
"aliases": [
"CVE-2018-1774"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-09T01:29:00Z",
"severity": "HIGH"
},
"details": "IBM API Connect 5.0.0.0, 5.0.8.4, 2018.1 and 2018.3.6 is vulnerable to CSV injection via the developer portal and analytics that could contain malicious commands that would be executed once opened by an administrator. IBM X-Force ID: 148692.",
"id": "GHSA-4w78-h86p-3c63",
"modified": "2022-05-13T01:19:28Z",
"published": "2022-05-13T01:19:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1774"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/148692"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10737867"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-53FW-HRCF-M25V
Vulnerability from github – Published: 2025-02-20 15:31 – Updated: 2025-11-04 21:31PHPJabbers Car Park Booking System v3.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.
{
"affected": [],
"aliases": [
"CVE-2023-51311"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-20T15:15:12Z",
"severity": "HIGH"
},
"details": "PHPJabbers Car Park Booking System v3.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.",
"id": "GHSA-53fw-hrcf-m25v",
"modified": "2025-11-04T21:31:30Z",
"published": "2025-02-20T15:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51311"
},
{
"type": "WEB",
"url": "https://packetstorm.news/files/id/176494"
},
{
"type": "WEB",
"url": "https://www.phpjabbers.com/car-park-booking/#sectionDemo"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/176494/PHPJabbers-Car-Park-Booking-System-3.0-CSV-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No CAPEC attack patterns related to this CWE.