CWE-1236
AllowedImproper Neutralization of Formula Elements in a CSV File
Abstraction: Base · Status: Incomplete
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
401 vulnerabilities reference this CWE, most recent first.
GHSA-G73P-89XV-8Q58
Vulnerability from github – Published: 2025-02-20 21:30 – Updated: 2025-11-04 21:31PHPJabbers Meeting Room Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.
{
"affected": [],
"aliases": [
"CVE-2023-51336"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-20T19:15:11Z",
"severity": "HIGH"
},
"details": "PHPJabbers Meeting Room Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.",
"id": "GHSA-g73p-89xv-8q58",
"modified": "2025-11-04T21:31:31Z",
"published": "2025-02-20T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51336"
},
{
"type": "WEB",
"url": "https://packetstorm.news/files/id/176518"
},
{
"type": "WEB",
"url": "https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/176518/PHPJabbers-Meeting-Room-Booking-System-1.0-CSV-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G9CR-RHQJ-PPF4
Vulnerability from github – Published: 2022-11-18 00:30 – Updated: 2022-11-18 21:30Auth. CSV Injection vulnerability in Export Users With Meta plugin <= 0.6.8 on WordPress.
{
"affected": [],
"aliases": [
"CVE-2022-44577"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-17T23:15:00Z",
"severity": "HIGH"
},
"details": "Auth. CSV Injection vulnerability in Export Users With Meta plugin \u003c= 0.6.8 on WordPress.",
"id": "GHSA-g9cr-rhqj-ppf4",
"modified": "2022-11-18T21:30:17Z",
"published": "2022-11-18T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44577"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/user-export-with-their-meta-data/wordpress-export-users-with-meta-plugin-0-6-8-auth-csv-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GCP2-R7P4-R5P4
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-10-24 19:00Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files.
{
"affected": [],
"aliases": [
"CVE-2021-24144"
],
"database_specific": {
"cwe_ids": [
"CWE-1236",
"CWE-74"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-18T15:15:00Z",
"severity": "HIGH"
},
"details": "Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files.",
"id": "GHSA-gcp2-r7p4-r5p4",
"modified": "2022-10-24T19:00:17Z",
"published": "2022-05-24T17:44:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24144"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/143cdaff-c536-4ff9-8d64-c617511ddd48"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GG36-2FJ2-24H8
Vulnerability from github – Published: 2022-11-28 15:30 – Updated: 2022-11-30 15:30The Export customers list csv for WooCommerce, WordPress users csv, export Guest customer list WordPress plugin before 2.0.69 does not validate data when outputting it back in a CSV file, which could lead to CSV injection.
{
"affected": [],
"aliases": [
"CVE-2022-3603"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-28T14:15:00Z",
"severity": "CRITICAL"
},
"details": "The Export customers list csv for WooCommerce, WordPress users csv, export Guest customer list WordPress plugin before 2.0.69 does not validate data when outputting it back in a CSV file, which could lead to CSV injection.",
"id": "GHSA-gg36-2fj2-24h8",
"modified": "2022-11-30T15:30:27Z",
"published": "2022-11-28T15:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3603"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/376e2bc7-2eb9-4e0a-809c-1582940ebdc7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GPJF-V934-73G5
Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 21:33Improper Neutralization of Formula Elements in a CSV File vulnerability in wpWax Directorist – WordPress Business Directory Plugin with Classified Ads Listing.This issue affects Directorist – WordPress Business Directory Plugin with Classified Ads Listings: from n/a through 7.7.1.
{
"affected": [],
"aliases": [
"CVE-2023-41798"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-07T18:15:08Z",
"severity": "HIGH"
},
"details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in wpWax Directorist \u2013 WordPress Business Directory Plugin with Classified Ads Listing.This issue affects Directorist \u2013 WordPress Business Directory Plugin with Classified Ads Listings: from n/a through 7.7.1.",
"id": "GHSA-gpjf-v934-73g5",
"modified": "2026-04-28T21:33:03Z",
"published": "2023-11-07T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41798"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/directorist/vulnerability/wordpress-directorist-plugin-7-7-0-csv-injection?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/directorist/wordpress-directorist-plugin-7-7-0-csv-injection?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GPMW-2PFX-6XXM
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2022-12-09 18:30IBM Tivoli Storage Productivity Center (IBM Spectrum Control Standard Edition 5.2.1 through 5.2.17) could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 157063.
{
"affected": [],
"aliases": [
"CVE-2019-4071"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-09T15:29:00Z",
"severity": "HIGH"
},
"details": "IBM Tivoli Storage Productivity Center (IBM Spectrum Control Standard Edition 5.2.1 through 5.2.17) could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 157063.",
"id": "GHSA-gpmw-2pfx-6xxm",
"modified": "2022-12-09T18:30:30Z",
"published": "2022-05-24T16:45:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4071"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/157063"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10872900"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GX42-FGWV-G9JJ
Vulnerability from github – Published: 2025-08-13 15:30 – Updated: 2025-08-13 21:30CycloneDX Sunshine v0.9 is vulnerable to CSV Formula Injection via a crafted JSON file
{
"affected": [],
"aliases": [
"CVE-2025-52386"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-13T14:15:31Z",
"severity": "MODERATE"
},
"details": "CycloneDX Sunshine v0.9 is vulnerable to CSV Formula Injection via a crafted JSON file",
"id": "GHSA-gx42-fgwv-g9jj",
"modified": "2025-08-13T21:30:27Z",
"published": "2025-08-13T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52386"
},
{
"type": "WEB",
"url": "https://github.com/CycloneDX/Sunshine"
},
{
"type": "WEB",
"url": "https://github.com/VishalSreenivas/Formula-Injection-in-CycloneDX-Sunshine/blob/main/CVE-2025-52386.md"
},
{
"type": "WEB",
"url": "https://github.com/VishalSreenivas/Formula-Injection-in-CycloneDX-Sunshine/blob/main/payload.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H2PH-WHQX-FCCC
Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-04-04 00:06SEP (Mac client) prior to and including 12.1 RU6 MP9 and prior to 14.2 RU1 may be susceptible to a CSV/DDE injection (also known as formula injection) vulnerability, which is a type of issue whereby an application or website allows untrusted input into CSV files.
{
"affected": [],
"aliases": [
"CVE-2018-12244"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-25T19:29:00Z",
"severity": "MODERATE"
},
"details": "SEP (Mac client) prior to and including 12.1 RU6 MP9 and prior to 14.2 RU1 may be susceptible to a CSV/DDE injection (also known as formula injection) vulnerability, which is a type of issue whereby an application or website allows untrusted input into CSV files.",
"id": "GHSA-h2ph-whqx-fccc",
"modified": "2024-04-04T00:06:38Z",
"published": "2022-05-24T16:44:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12244"
},
{
"type": "WEB",
"url": "https://support.symantec.com/en_US/article.SYMSA1479.html"
},
{
"type": "WEB",
"url": "https://www.securityfocus.com/bid/107999"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-H3V8-V9F6-FFJP
Vulnerability from github – Published: 2026-05-05 12:31 – Updated: 2026-05-05 12:31ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Attackers can add malicious formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications.
{
"affected": [],
"aliases": [
"CVE-2023-54348"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-05T12:16:17Z",
"severity": "HIGH"
},
"details": "ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Attackers can add malicious formulas like =10+20+cmd|\u0027 /C calc\u0027!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications.",
"id": "GHSA-h3v8-v9f6-ffjp",
"modified": "2026-05-05T12:31:38Z",
"published": "2026-05-05T12:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54348"
},
{
"type": "WEB",
"url": "https://codecanyon.net/item/erpgo-saas-all-in-one-business-erp-with-project-account-hrm-crm-pos/33263426"
},
{
"type": "WEB",
"url": "https://rajodiya.com"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/51220"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/erpgo-saas-csv-injection-via-vendor-creation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-H5XJ-9P36-6CJC
Vulnerability from github – Published: 2022-03-26 00:00 – Updated: 2022-03-31 00:00Survey King v0.3.0 does not filter data properly when exporting excel files, allowing attackers to execute arbitrary code or access sensitive information via a CSV injection attack.
{
"affected": [],
"aliases": [
"CVE-2022-26249"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-24T22:15:00Z",
"severity": "CRITICAL"
},
"details": "Survey King v0.3.0 does not filter data properly when exporting excel files, allowing attackers to execute arbitrary code or access sensitive information via a CSV injection attack.",
"id": "GHSA-h5xj-9p36-6cjc",
"modified": "2022-03-31T00:00:35Z",
"published": "2022-03-26T00:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26249"
},
{
"type": "WEB",
"url": "https://gitee.com/surveyking/surveyking/issues/I4V05A"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No CAPEC attack patterns related to this CWE.