CWE-1236
AllowedImproper Neutralization of Formula Elements in a CSV File
Abstraction: Base · Status: Incomplete
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
401 vulnerabilities reference this CWE, most recent first.
GHSA-FX25-QH4F-8GHH
Vulnerability from github – Published: 2025-07-31 09:32 – Updated: 2025-07-31 09:32Multiple versions of PowerCMS improperly neutralize formula elements in a CSV file. If a product user creates a malformed entry and a victim user downloads it as a CSV file and opens it in the user's environment, the embedded code may be executed.
{
"affected": [],
"aliases": [
"CVE-2025-54752"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-31T08:15:25Z",
"severity": "MODERATE"
},
"details": "Multiple versions of PowerCMS improperly neutralize formula elements in a CSV file. If a product user creates a malformed entry and a victim user downloads it as a CSV file and opens it in the user\u0027s environment, the embedded code may be executed.",
"id": "GHSA-fx25-qh4f-8ghh",
"modified": "2025-07-31T09:32:49Z",
"published": "2025-07-31T09:32:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54752"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU93412964"
},
{
"type": "WEB",
"url": "https://www.powercms.jp/news/release-powercms-671-531-461.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G26Q-PPP8-JJ4R
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43A CSV injection vulnerability found in Online Invoicing System (OIS) 4.3 and below can be exploited by users to perform malicious actions such as redirecting admins to unknown or harmful websites, or disclosing other clients' details that the user did not have access to.
{
"affected": [],
"aliases": [
"CVE-2021-27839"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-03T19:15:00Z",
"severity": "MODERATE"
},
"details": "A CSV injection vulnerability found in Online Invoicing System (OIS) 4.3 and below can be exploited by users to perform malicious actions such as redirecting admins to unknown or harmful websites, or disclosing other clients\u0027 details that the user did not have access to.",
"id": "GHSA-g26q-ppp8-jj4r",
"modified": "2022-05-24T17:43:36Z",
"published": "2022-05-24T17:43:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27839"
},
{
"type": "WEB",
"url": "https://github.com/bigprof-software/online-invoicing-system/releases/tag/4.4"
},
{
"type": "WEB",
"url": "https://www.jinsonvarghese.com/csv-injection-in-online-invoicing-system"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-G27C-Q7CP-MHX6
Vulnerability from github – Published: 2026-05-28 06:31 – Updated: 2026-07-01 21:25Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "json-2-csv"
},
"ranges": [
{
"events": [
{
"introduced": "3.15.0"
},
{
"fixed": "5.5.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-9673"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-01T21:25:23Z",
"nvd_published_at": "2026-05-28T06:16:29Z",
"severity": "MODERATE"
},
"details": "Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.",
"id": "GHSA-g27c-q7cp-mhx6",
"modified": "2026-07-01T21:25:23Z",
"published": "2026-05-28T06:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9673"
},
{
"type": "WEB",
"url": "https://github.com/mrodrig/json-2-csv/commit/0fdd0bb6d0273178cd940afc323ccbce19688229"
},
{
"type": "WEB",
"url": "https://gist.github.com/whoamins/299745a2d36b482b44e9613b78e40613"
},
{
"type": "PACKAGE",
"url": "https://github.com/mrodrig/json-2-csv"
},
{
"type": "WEB",
"url": "https://github.com/mrodrig/json-2-csv/blob/main/src/json2csv.ts%23L410"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-JSON2CSV-14221326"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "json-2-csv vulnerable to CSV Injection via the preventCsvInjection optio"
}
GHSA-G2M8-F3X2-QPRW
Vulnerability from github – Published: 2024-09-12 15:33 – Updated: 2024-09-23 19:11An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "refuel-autolabel"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.8"
},
{
"last_affected": "0.0.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-27320"
],
"database_specific": {
"cwe_ids": [
"CWE-1236",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-12T19:49:53Z",
"nvd_published_at": "2024-09-12T13:15:11Z",
"severity": "HIGH"
},
"details": "An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.",
"id": "GHSA-g2m8-f3x2-qprw",
"modified": "2024-09-23T19:11:59Z",
"published": "2024-09-12T15:33:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27320"
},
{
"type": "PACKAGE",
"url": "https://github.com/refuel-ai/autolabel"
},
{
"type": "WEB",
"url": "https://github.com/refuel-ai/autolabel/blob/v0.0.16/src/autolabel/dataset/validation.py#L57-L79"
},
{
"type": "WEB",
"url": "https://hiddenlayer.com/sai-security-advisory/2024-09-autolabel"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Refuel Autolab Eval Injection vulnerability"
}
GHSA-G2VC-GPM2-RP4W
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33CSV Injection exists in InterMind iMind Server through 3.13.65 via the csv export functionality.
{
"affected": [],
"aliases": [
"CVE-2020-25398"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-05T16:15:00Z",
"severity": "HIGH"
},
"details": "CSV Injection exists in InterMind iMind Server through 3.13.65 via the csv export functionality.",
"id": "GHSA-g2vc-gpm2-rp4w",
"modified": "2022-05-24T17:33:14Z",
"published": "2022-05-24T17:33:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25398"
},
{
"type": "WEB",
"url": "https://github.com/h3llraiser/CVE-2020-25398"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-G45P-2VH4-M46H
Vulnerability from github – Published: 2025-05-21 15:30 – Updated: 2025-05-21 15:30Data provided in a request performed to the server while activating a new device are put in a database. Other high privileged users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC.
This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).
{
"affected": [],
"aliases": [
"CVE-2025-1421"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-21T13:16:02Z",
"severity": "LOW"
},
"details": "Data provided in a request performed to the server while activating a new device are put in a database.\u00a0Other high privileged users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user\u0027s PC.\n\n\nThis issue has been fixed in\u00a02.17.5 version of\u00a0Konsola Proget (server part of the MDM suite).",
"id": "GHSA-g45p-2vh4-m46h",
"modified": "2025-05-21T15:30:33Z",
"published": "2025-05-21T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1421"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2025/05/CVE-2025-1415"
},
{
"type": "WEB",
"url": "https://proget.pl/en/mobile-device-management"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G4V7-HFRX-HQF3
Vulnerability from github – Published: 2022-04-13 00:00 – Updated: 2022-04-20 00:00The Visual Form Builder WordPress plugin before 3.0.6 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
{
"affected": [],
"aliases": [
"CVE-2022-0142"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-12T12:15:00Z",
"severity": "CRITICAL"
},
"details": "The Visual Form Builder WordPress plugin before 3.0.6 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.",
"id": "GHSA-g4v7-hfrx-hqf3",
"modified": "2022-04-20T00:00:50Z",
"published": "2022-04-13T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0142"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/03210390-2054-40c0-9508-39d168087878"
},
{
"type": "WEB",
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-080"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G5GR-7QPP-2P9M
Vulnerability from github – Published: 2023-11-15 15:30 – Updated: 2026-04-28 21:33Improper Neutralization of Formula Elements in a CSV File vulnerability in Pär Thernström Simple History – user activity log, audit tool.This issue affects Simple History – user activity log, audit tool: from n/a through 3.3.1.
{
"affected": [],
"aliases": [
"CVE-2022-45350"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T15:15:09Z",
"severity": "HIGH"
},
"details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in P\u00e4r Thernstr\u00f6m Simple History \u2013 user activity log, audit tool.This issue affects Simple History \u2013 user activity log, audit tool: from n/a through 3.3.1.",
"id": "GHSA-g5gr-7qpp-2p9m",
"modified": "2026-04-28T21:33:01Z",
"published": "2023-11-15T15:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45350"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/simple-history/vulnerability/wordpress-simple-history-plugin-3-3-1-csv-injection-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/simple-history/wordpress-simple-history-plugin-3-3-1-csv-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G5QW-HP88-696M
Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2022-11-04 19:01"IBM InfoSphere Information Server 11.7 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 223598."
{
"affected": [],
"aliases": [
"CVE-2022-22425"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-03T20:15:00Z",
"severity": "CRITICAL"
},
"details": "\"IBM InfoSphere Information Server 11.7 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 223598.\"",
"id": "GHSA-g5qw-hp88-696m",
"modified": "2022-11-04T19:01:16Z",
"published": "2022-11-04T12:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22425"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6829953"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G6C2-GHR3-XMVW
Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37There has a CSV injection vulnerability in iManager NetEco 6000 versions V600R021C00. An attacker with common privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to the target device.
{
"affected": [],
"aliases": [
"CVE-2020-9200"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-24T16:15:00Z",
"severity": "HIGH"
},
"details": "There has a CSV injection vulnerability in iManager NetEco 6000 versions V600R021C00. An attacker with common privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to the target device.",
"id": "GHSA-g6c2-ghr3-xmvw",
"modified": "2022-05-24T17:37:17Z",
"published": "2022-05-24T17:37:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9200"
},
{
"type": "WEB",
"url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20201209-01-csvinjection-en"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No CAPEC attack patterns related to this CWE.