Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-57X8-GCV2-WR5X

Vulnerability from github – Published: 2025-08-12 09:30 – Updated: 2025-08-12 09:30
VLAI
Details

The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8767"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-12T07:15:30Z",
    "severity": "MODERATE"
  },
  "details": "The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the \u0027download_csv_players\u0027 and \u0027download_csv_games\u0027 functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.",
  "id": "GHSA-57x8-gcv2-wr5x",
  "modified": "2025-08-12T09:30:31Z",
  "published": "2025-08-12T09:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8767"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/football-leagues-by-anwppro/trunk/includes/class-anwpfl-data-port.php#L265"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/football-leagues-by-anwppro/trunk/includes/class-anwpfl-data-port.php#L58"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/football-leagues-by-anwppro/trunk/includes/class-anwpfl-data-port.php#L93"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/04676263-cdad-40cd-bb54-61beb727e09d?source=cve"
    },
    {
      "type": "WEB",
      "url": "http://plugins.trac.wordpress.org/changeset/3342787/football-leagues-by-anwppro/trunk/includes/class-anwpfl-data-port.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-592W-453P-RPMG

Vulnerability from github – Published: 2025-10-23 15:30 – Updated: 2025-10-23 18:31
VLAI
Details

A CSV Injection vulnerability existed in Instant Developer Foundation versions prior to 25.0.9600. Applications built with affected versions of the framework did not properly sanitize user-controlled input before including it in CSV exports. This issue could lead to code execution on the system where the exported CSV file is opened.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-60852"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-23T14:15:42Z",
    "severity": "MODERATE"
  },
  "details": "A CSV Injection vulnerability existed in Instant Developer Foundation versions prior to 25.0.9600. Applications built with affected versions of the framework did not properly sanitize user-controlled input before including it in CSV exports. This issue could lead to code execution on the system where the exported CSV file is opened.",
  "id": "GHSA-592w-453p-rpmg",
  "modified": "2025-10-23T18:31:14Z",
  "published": "2025-10-23T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60852"
    },
    {
      "type": "WEB",
      "url": "https://doc.instantdeveloper.com/eng/default.aspx?artid=a6c69034-d1ee-4057-b19d-40505151ec8e\u0026lang=eng"
    },
    {
      "type": "WEB",
      "url": "https://github.com/valeriocassoni/CSV-Injection-in-Instant-Developer-Foundation-25.0-PoC"
    },
    {
      "type": "WEB",
      "url": "https://instantdeveloper.com/lp/cloud-freelance/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5FJW-RFFF-JP7H

Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2023-12-12 21:31
VLAI
Details

Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior. The software saves user-provided information into a comma-separated value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-16214"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-11T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior, IntelliVue X3 and X2 Versions N and prior. The software saves user-provided information into a comma-separated value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software.",
  "id": "GHSA-5fjw-rfff-jp7h",
  "modified": "2023-12-12T21:31:05Z",
  "published": "2022-05-24T17:28:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16214"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01"
    },
    {
      "type": "WEB",
      "url": "https://www.philips.com/productsecurity"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5G3J-V298-JM95

Vulnerability from github – Published: 2024-03-05 12:30 – Updated: 2025-04-10 21:30
VLAI
Details

A CWE-1236 “Improper Neutralization of Formula Elements in a CSV File” vulnerability in the “file_configuration” functionality of the web application (concerning the function “export_file”) allows a remote authenticated attacker to inject arbitrary formulas inside generated CSV files. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-45597"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-05T12:15:47Z",
    "severity": "MODERATE"
  },
  "details": "A CWE-1236 \u201cImproper Neutralization of Formula Elements in a CSV File\u201d vulnerability in the \u201cfile_configuration\u201d functionality of the web application (concerning the function \u201cexport_file\u201d) allows a remote authenticated attacker to inject arbitrary formulas inside generated CSV files. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.",
  "id": "GHSA-5g3j-v298-jm95",
  "modified": "2025-04-10T21:30:45Z",
  "published": "2024-03-05T12:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45597"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2023-45597"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5HVW-CMC2-MPJR

Vulnerability from github – Published: 2023-08-17 21:30 – Updated: 2024-04-04 07:01
VLAI
Details

An issue in Atlos v.1.0 allows an authenticated attacker to execute arbitrary code via a crafted payload into the description field in the incident function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38843"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-17T19:15:12Z",
    "severity": "HIGH"
  },
  "details": "An issue in Atlos v.1.0 allows an authenticated attacker to execute arbitrary code via a crafted payload into the description field in the incident function.",
  "id": "GHSA-5hvw-cmc2-mpjr",
  "modified": "2024-04-04T07:01:58Z",
  "published": "2023-08-17T21:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38843"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/senzee1984/ff30f0914db39d2741ab17332f0fc6e1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/atlosdotorg/atlos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5JFQ-Q2RX-7PXG

Vulnerability from github – Published: 2024-07-09 18:30 – Updated: 2024-07-09 18:30
VLAI
Details

An improper neutralization of formula elements in a CSV File vulnerability [CWE-1236] in FortiAIOps version 2.0.0 may allow a remote authenticated attacker to execute arbitrary commands on a client's workstation via poisoned CSV reports.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27785"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-09T16:15:05Z",
    "severity": "MODERATE"
  },
  "details": "An improper neutralization of formula elements in a CSV File vulnerability [CWE-1236] in FortiAIOps version 2.0.0 may allow a remote authenticated attacker to execute arbitrary commands on a client\u0027s workstation via poisoned CSV reports.",
  "id": "GHSA-5jfq-q2rx-7pxg",
  "modified": "2024-07-09T18:30:49Z",
  "published": "2024-07-09T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27785"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-073"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5P8H-XW8M-3W4J

Vulnerability from github – Published: 2022-11-07 12:00 – Updated: 2022-11-10 12:01
VLAI
Details

The Contact Form Plugin WordPress plugin before 4.3.13 does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3463"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-07T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The Contact Form Plugin WordPress plugin before 4.3.13 does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection",
  "id": "GHSA-5p8h-xw8m-3w4j",
  "modified": "2022-11-10T12:01:17Z",
  "published": "2022-11-07T12:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3463"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/e2a59481-db45-4b8e-b17a-447303469364"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5VW2-J3G7-V489

Vulnerability from github – Published: 2025-12-30 21:30 – Updated: 2026-01-02 15:30
VLAI
Details

A CSV Formula Injection vulnerability in TrueConf Server v5.5.2.10813 allows a normal user to inject malicious spreadsheet formulas into exported chat logs via crafted Display Name.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-66834"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-30T19:15:44Z",
    "severity": "HIGH"
  },
  "details": "A CSV Formula Injection vulnerability in TrueConf Server v5.5.2.10813 allows a normal user to inject malicious spreadsheet formulas into exported chat logs via crafted Display Name.",
  "id": "GHSA-5vw2-j3g7-v489",
  "modified": "2026-01-02T15:30:25Z",
  "published": "2025-12-30T21:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66834"
    },
    {
      "type": "WEB",
      "url": "https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66834/README.md"
    },
    {
      "type": "WEB",
      "url": "https://trueconf.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6267-49MH-P6X2

Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2024-03-21 03:33
VLAI
Details

** DISPUTED ** In Joget Workflow 6.0.20, CSV Injection, also known as Formula Injection, exists, as demonstrated by jw/web/userview/crm_community/crm_userview_sales/_/account_new with the Account ID or Account Name field. NOTE: the vendor disputes the relevance of this finding because CSV is not the intended export format for spreadsheet applications.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-14352"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-28T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "** DISPUTED ** In Joget Workflow 6.0.20, CSV Injection, also known as Formula Injection, exists, as demonstrated by jw/web/userview/crm_community/crm_userview_sales/_/account_new with the Account ID or Account Name field. NOTE: the vendor disputes the relevance of this finding because CSV is not the intended export format for spreadsheet applications.",
  "id": "GHSA-6267-49mh-p6x2",
  "modified": "2024-03-21T03:33:41Z",
  "published": "2022-05-24T16:51:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14352"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jogetworkflow/jw-community/issues/20"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-634P-93H9-92VH

Vulnerability from github – Published: 2022-09-16 22:06 – Updated: 2022-09-19 20:20
VLAI
Summary
ghas-to-csv vulnerable to Improper Neutralization of Formula Elements in a CSV File
Details

Impact

This GitHub Action creates a CSV file without sanitizing the output of the APIs. If an alert is dismissed or any other custom field contains executable code / formulas, it might be run when an endpoint opens that CSV file in a spreadsheet program. The data flow looks like this 👇🏻

graph TD
    A(Repository) -->|developer dismissal, other data input| B(GitHub Advanced Security data)
    B -->|ghas-to-csv| C(CSV file)
    C -->|spreadsheet program| D(endpoint executes potentially malicious code)

Patches

Please use version v1 or later. That tag moves from using csv to defusedcsv to mitigate this problem.

Workarounds

There is no workaround. Please upgrade to using the latest tag, v1 (or later).

References

  • CWE-1236 information from MITRE
  • CSV injection information from OWASP
  • CodeQL query for CWE-1236 in Python here
  • PyPI site for defusedcsv here

For more information

If you have any questions or comments about this advisory:

  • Open an issue in this repository here
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "some-natalie/ghas-to-csv"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39217"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236",
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-16T22:06:55Z",
    "nvd_published_at": "2022-09-17T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThis GitHub Action creates a CSV file without sanitizing the output of the APIs.  If an alert is dismissed or any other custom field contains executable code / formulas, it might be run when an endpoint opens that CSV file in a spreadsheet program.  The data flow looks like this \ud83d\udc47\ud83c\udffb \n\n```mermaid\ngraph TD\n    A(Repository) --\u003e|developer dismissal, other data input| B(GitHub Advanced Security data)\n    B --\u003e|ghas-to-csv| C(CSV file)\n    C --\u003e|spreadsheet program| D(endpoint executes potentially malicious code)\n```\n\n### Patches\n\nPlease use version `v1` or later.  That tag moves from using `csv` to `defusedcsv` to mitigate this problem.\n\n### Workarounds\n\nThere is no workaround.  Please upgrade to using the latest tag, `v1` (or later).\n\n### References\n\n* CWE-1236 information from [MITRE](https://cwe.mitre.org/data/definitions/1236.html)\n* CSV injection information from [OWASP](https://owasp.org/www-community/attacks/CSV_Injection)\n* CodeQL query for CWE-1236 in Python [here](https://github.com/github/codeql/tree/main/python/ql/src/experimental/Security/CWE-1236)\n* PyPI site for `defusedcsv` [here](https://pypi.org/project/defusedcsv/)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in this repository [here](https://github.com/some-natalie/ghas-to-csv/issues)\n",
  "id": "GHSA-634p-93h9-92vh",
  "modified": "2022-09-19T20:20:23Z",
  "published": "2022-09-16T22:06:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/some-natalie/ghas-to-csv/security/advisories/GHSA-634p-93h9-92vh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39217"
    },
    {
      "type": "WEB",
      "url": "https://github.com/some-natalie/ghas-to-csv/issues/19"
    },
    {
      "type": "WEB",
      "url": "https://github.com/some-natalie/ghas-to-csv/pull/20"
    },
    {
      "type": "WEB",
      "url": "https://github.com/some-natalie/ghas-to-csv/commit/d0b521928fa734513b5cd9c7d9d8e09db50e884a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/some-natalie/ghas-to-csv"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ghas-to-csv vulnerable to Improper Neutralization of Formula Elements in a CSV File"
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.