CWE-1236
AllowedImproper Neutralization of Formula Elements in a CSV File
Abstraction: Base · Status: Incomplete
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
401 vulnerabilities reference this CWE, most recent first.
GHSA-C778-H25H-V8VC
Vulnerability from github – Published: 2023-04-11 03:31 – Updated: 2024-04-04 03:23The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application.
{
"affected": [],
"aliases": [
"CVE-2023-29109"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-11T03:15:00Z",
"severity": "MODERATE"
},
"details": "The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application.\n\n",
"id": "GHSA-c778-h25h-v8vc",
"modified": "2024-04-04T03:23:27Z",
"published": "2023-04-11T03:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29109"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3115598"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C77W-6VG2-C6CJ
Vulnerability from github – Published: 2022-11-21 12:30 – Updated: 2022-11-23 18:30The Contact Form 7 Database Addon WordPress plugin before 1.2.6.5 does not validate data when output it back in a CSV file, which could lead to CSV injection
{
"affected": [],
"aliases": [
"CVE-2022-3634"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-21T11:15:00Z",
"severity": "CRITICAL"
},
"details": "The Contact Form 7 Database Addon WordPress plugin before 1.2.6.5 does not validate data when output it back in a CSV file, which could lead to CSV injection",
"id": "GHSA-c77w-6vg2-c6cj",
"modified": "2022-11-23T18:30:28Z",
"published": "2022-11-21T12:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3634"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/b5eeefb0-fb5e-4ca6-a6f0-67f4be4a2b10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C89W-5MX2-XMRQ
Vulnerability from github – Published: 2024-06-18 06:30 – Updated: 2026-04-08 21:32The Business Directory Plugin plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 6.4.3 via the class-csv-exporter.php file. This allows authenticated attackers, with author-level permissions and above, to embed untrusted input into CSV files exported by administrators, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
{
"affected": [],
"aliases": [
"CVE-2023-5527"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-18T06:15:10Z",
"severity": "HIGH"
},
"details": "The Business Directory Plugin plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 6.4.3 via the class-csv-exporter.php file. This allows authenticated attackers, with author-level permissions and above, to embed untrusted input into CSV files exported by administrators, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.",
"id": "GHSA-c89w-5mx2-xmrq",
"modified": "2026-04-08T21:32:47Z",
"published": "2024-06-18T06:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5527"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/business-directory-plugin/trunk/includes/admin/class-csv-exporter.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/business-directory-plugin/trunk/includes/admin/helpers/csv/class-csv-exporter.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3102475/business-directory-plugin/trunk/includes/admin/helpers/csv/class-csv-exporter.php"
},
{
"type": "WEB",
"url": "https://research.cleantalk.org/cve-2023-5527"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ed037e94-68b4-4efc-9d1a-fffc4aff1c45?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-CG4J-F388-M354
Vulnerability from github – Published: 2024-08-06 15:30 – Updated: 2024-08-08 15:31A CSV injection vulnerability in Automation Anywhere Automation 360 version 21094 allows attackers to execute arbitrary code via a crafted payload.
{
"affected": [],
"aliases": [
"CVE-2024-41226"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-06T14:16:04Z",
"severity": "HIGH"
},
"details": "A CSV injection vulnerability in Automation Anywhere Automation 360 version 21094 allows attackers to execute arbitrary code via a crafted payload.",
"id": "GHSA-cg4j-f388-m354",
"modified": "2024-08-08T15:31:28Z",
"published": "2024-08-06T15:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41226"
},
{
"type": "WEB",
"url": "https://medium.com/%40aksalsalimi/cve-2024-41226-response-manipulation-led-to-csv-injection-9ae3182dcc02"
},
{
"type": "WEB",
"url": "https://www.automationanywhere.com/products/automation-360"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CQX6-VQMJ-2PPH
Vulnerability from github – Published: 2024-06-07 12:34 – Updated: 2024-06-07 12:34The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
{
"affected": [],
"aliases": [
"CVE-2023-5424"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-07T10:15:10Z",
"severity": "MODERATE"
},
"details": "The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.",
"id": "GHSA-cqx6-vqmj-2pph",
"modified": "2024-06-07T12:34:14Z",
"published": "2024-06-07T12:34:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5424"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3098265%40ws-form\u0026new=3098265%40ws-form\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://wsform.com/changelog/?utm_source=wp_plugins\u0026utm_medium=readme"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CV8Q-93V6-RXM5
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19The Connections Business Directory WordPress plugin before 9.7 does not validate or sanitise some connections' fields, which could lead to a CSV injection issue
{
"affected": [],
"aliases": [
"CVE-2020-36503"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-01T09:15:00Z",
"severity": "HIGH"
},
"details": "The Connections Business Directory WordPress plugin before 9.7 does not validate or sanitise some connections\u0027 fields, which could lead to a CSV injection issue",
"id": "GHSA-cv8q-93v6-rxm5",
"modified": "2022-05-24T19:19:21Z",
"published": "2022-05-24T19:19:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36503"
},
{
"type": "WEB",
"url": "https://github.com/Connections-Business-Directory/Connections/issues/474"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/dd394b55-c86f-4fa2-aae8-5903ca0b95ec"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-CX67-5G6V-J9PH
Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 15:30Improper Neutralization of Formula Elements in a CSV File vulnerability in Shambix Simple CSV/XLS Exporter.This issue affects Simple CSV/XLS Exporter: from n/a through 1.5.8.
{
"affected": [],
"aliases": [
"CVE-2022-42882"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T18:15:07Z",
"severity": "HIGH"
},
"details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Shambix Simple CSV/XLS Exporter.This issue affects Simple CSV/XLS Exporter: from n/a through 1.5.8.",
"id": "GHSA-cx67-5g6v-j9ph",
"modified": "2026-04-28T15:30:35Z",
"published": "2023-11-07T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42882"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/simple-csv-xls-exporter/vulnerability/wordpress-simple-csv-xls-exporter-plugin-1-5-8-authenticated-csv-injection-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/simple-csv-xls-exporter/wordpress-simple-csv-xls-exporter-plugin-1-5-8-authenticated-csv-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F375-4MFQ-X442
Vulnerability from github – Published: 2023-12-07 09:30 – Updated: 2023-12-11 15:30Availability Booking Calendar 5.0 allows CSV injection via the unique ID field in the Reservations list component.
{
"affected": [],
"aliases": [
"CVE-2023-48207"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-07T07:15:09Z",
"severity": "HIGH"
},
"details": "Availability Booking Calendar 5.0 allows CSV injection via the unique ID field in the Reservations list component.",
"id": "GHSA-f375-4mfq-x442",
"modified": "2023-12-11T15:30:49Z",
"published": "2023-12-07T09:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48207"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/175804"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F55G-X8QQ-2569
Vulnerability from github – Published: 2022-05-03 00:00 – Updated: 2022-05-18 19:19CSV-Safe gem < 3.0.0 doesn't filter out special characters which could trigger CSV Injection.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "csv-safe"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-28481"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-18T19:19:58Z",
"nvd_published_at": "2022-05-01T15:15:00Z",
"severity": "CRITICAL"
},
"details": "CSV-Safe gem \u003c 3.0.0 doesn\u0027t filter out special characters which could trigger CSV Injection.",
"id": "GHSA-f55g-x8qq-2569",
"modified": "2022-05-18T19:19:58Z",
"published": "2022-05-03T00:00:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28481"
},
{
"type": "WEB",
"url": "https://github.com/zvory/csv-safe/issues/7"
},
{
"type": "WEB",
"url": "https://github.com/zvory/csv-safe/pull/8"
},
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/commit/d9e136ff228e3760fd6dd7572869ac38e9a81809"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/223999"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/csv-safe/CVE-2022-28481.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/zvory/csv-safe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "CSV-Safe improperly filters special characters potentially leading to CSV injection"
}
GHSA-F8HP-GRMR-PP7J
Vulnerability from github – Published: 2023-05-02 18:30 – Updated: 2023-05-10 00:34RosarioSIS 10.8.4 is vulnerable to CSV injection via the Periods Module.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "francoisjacquet/rosariosis"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "10.8.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-29918"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-02T23:13:23Z",
"nvd_published_at": "2023-05-02T16:15:09Z",
"severity": "MODERATE"
},
"details": "RosarioSIS 10.8.4 is vulnerable to CSV injection via the Periods Module.",
"id": "GHSA-f8hp-grmr-pp7j",
"modified": "2023-05-10T00:34:41Z",
"published": "2023-05-02T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29918"
},
{
"type": "WEB",
"url": "https://docs.google.com/document/d/1JAhJOlfKKD5Y5zEKo0_8a3A-nQ7Dz_GIMmlXmOvXV48/edit?usp=sharing"
},
{
"type": "PACKAGE",
"url": "https://github.com/francoisjacquet/rosariosis"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "RosarioSIS vulnerable to CSV Injection"
}
Mitigation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No CAPEC attack patterns related to this CWE.