CWE-1236
AllowedImproper Neutralization of Formula Elements in a CSV File
Abstraction: Base · Status: Incomplete
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
401 vulnerabilities reference this CWE, most recent first.
GHSA-H77M-QRJ7-JXCW
Vulnerability from github – Published: 2026-06-26 23:03 – Updated: 2026-06-26 23:03Impact
Form submission values were not neutralized for spreadsheet formula characters when exported to CSV. A submission containing a value beginning with a formula trigger character (e.g. = , + , - , @ ) could be interpreted as a live formula when a Control Panel user opens the export in a spreadsheet application. Form submissions can come from unauthenticated front-end visitors, so the malicious value can be supplied by an anonymous user and is later triggered by an editor opening the export.
Exploitation affects the spreadsheet application used to open the export, not the Statamic application or server; the data at risk is the form submission data the exporting user is already authorized to view.
Patches
This has been fixed in 5.73.24 and 6.20.1.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "statamic/cms"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.20.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "statamic/cms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.73.24"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54243"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T23:03:56Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nForm submission values were not neutralized for spreadsheet formula characters when exported to CSV. A submission containing a value beginning with a formula trigger character (e.g. \u00a0=\u00a0, \u00a0+\u00a0, \u00a0-\u00a0, \u00a0@\u00a0) could be interpreted as a live formula when a Control Panel user opens the export in a spreadsheet application. Form submissions can come from unauthenticated front-end visitors, so the malicious value can be supplied by an anonymous user and is later triggered by an editor opening the export.\n\nExploitation affects the spreadsheet application used to open the export, not the Statamic application or server; the data at risk is the form submission data the exporting user is already authorized to view.\n\n\n### Patches\n\nThis has been fixed in 5.73.24 and 6.20.1.",
"id": "GHSA-h77m-qrj7-jxcw",
"modified": "2026-06-26T23:03:56Z",
"published": "2026-06-26T23:03:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/statamic/cms/security/advisories/GHSA-h77m-qrj7-jxcw"
},
{
"type": "PACKAGE",
"url": "https://github.com/statamic/cms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Statamic Vulnerable to CSV formula injection in form submission exports"
}
GHSA-H7VQ-5QGW-JWWQ
Vulnerability from github – Published: 2021-10-18 19:04 – Updated: 2021-10-18 19:11Impact
In some circumstances, it was possible to export data in CSV format that could trigger a payload in old versions of Excel.
If you are accepting user input from untrusted sources and will be exporting that data in CSV format from element index pages and there is a chance users will open that on old versions of Excel, then you should update.
Patches
This has been patched in Craft 3.7.14.
References
- https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#3714---2021-09-28
- https://twitter.com/craftcmsupdates/status/1442928690145366018
For more information
If you have any questions or comments about this advisory, email us at support@craftcms.com
Credits: BAE Systems AI Vulnerability Research Team – Azrul Ikhwan Zulkifli
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.4.0"
},
{
"fixed": "3.7.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41824"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2021-10-15T17:36:16Z",
"nvd_published_at": "2021-09-30T00:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nIn some circumstances, it was possible to export data in CSV format that could trigger a payload in old versions of Excel.\n\nIf you are accepting user input from untrusted sources and will be exporting that data in CSV format from element index pages and there is a chance users will open that on old versions of Excel, then you should update.\n\n### Patches\nThis has been patched in Craft 3.7.14.\n\n### References\n* https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#3714---2021-09-28\n* https://twitter.com/craftcmsupdates/status/1442928690145366018\n\n### For more information\n\nIf you have any questions or comments about this advisory, email us at support@craftcms.com\n\n----------\n\nCredits: BAE Systems AI Vulnerability Research Team \u2013 Azrul Ikhwan Zulkifli",
"id": "GHSA-h7vq-5qgw-jwwq",
"modified": "2021-10-18T19:11:00Z",
"published": "2021-10-18T19:04:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-h7vq-5qgw-jwwq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41824"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/c9cb2225f1b908fb1e8401d401219228634b26b2"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#3714---2021-09-28"
},
{
"type": "WEB",
"url": "https://twitter.com/craftcmsupdates/status/1442928690145366018"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "CSV Injection Vulnerability"
}
GHSA-H8R6-3PJ7-GWFH
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2026-02-24 18:30SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to execute macros while opening the file and the security settings of Excel allow for command execution.
{
"affected": [],
"aliases": [
"CVE-2021-38180"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-12T15:15:00Z",
"severity": "CRITICAL"
},
"details": "SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim\u0027s computer but only if the victim allows to execute macros while opening the file and the security settings of Excel allow for command execution.",
"id": "GHSA-h8r6-3pj7-gwfh",
"modified": "2026-02-24T18:30:55Z",
"published": "2022-05-24T19:17:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38180"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3079427"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HF85-QCCF-2W3H
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19The admin backend in phpMyFAQ before 2.9.11 allows CSV injection in reports.
{
"affected": [],
"aliases": [
"CVE-2018-16651"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-07T05:29:00Z",
"severity": "HIGH"
},
"details": "The admin backend in phpMyFAQ before 2.9.11 allows CSV injection in reports.",
"id": "GHSA-hf85-qccf-2w3h",
"modified": "2022-05-13T01:19:16Z",
"published": "2022-05-13T01:19:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16651"
},
{
"type": "WEB",
"url": "https://www.phpmyfaq.de/security/advisory-2018-09-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HFW2-FVXC-CCVP
Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08A CWE-1236: Improper Neutralization of Formula Elements in a CSV File vulnerability exists in Easergy T300 with firmware V2.7.1 and older that would allow arbitrary command execution.
{
"affected": [],
"aliases": [
"CVE-2021-22771"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-21T15:15:00Z",
"severity": "HIGH"
},
"details": "A CWE-1236: Improper Neutralization of Formula Elements in a CSV File vulnerability exists in Easergy T300 with firmware V2.7.1 and older that would allow arbitrary command execution.",
"id": "GHSA-hfw2-fvxc-ccvp",
"modified": "2022-05-24T19:08:47Z",
"published": "2022-05-24T19:08:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22771"
},
{
"type": "WEB",
"url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-02"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HJC7-GRQV-7X6Q
Vulnerability from github – Published: 2022-11-07 12:00 – Updated: 2022-11-10 12:01The Import and export users and customers WordPress plugin before 1.20.5 does not properly escape data when exporting it via CSV files.
{
"affected": [],
"aliases": [
"CVE-2022-3558"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-07T10:15:00Z",
"severity": "HIGH"
},
"details": "The Import and export users and customers WordPress plugin before 1.20.5 does not properly escape data when exporting it via CSV files.",
"id": "GHSA-hjc7-grqv-7x6q",
"modified": "2022-11-10T12:01:04Z",
"published": "2022-11-07T12:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3558"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?new=2798139%40import-users-from-csv-with-meta\u0026old=2785785%40import-users-from-csv-with-meta"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/e3d72e04-9cdf-4b7d-953e-876e26abdfc6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HM75-8W6H-4F8F
Vulnerability from github – Published: 2023-06-23 15:30 – Updated: 2023-06-30 20:17Admidio prior to 4.2.9 is vulnerable toImproper Neutralization of Formula Elements in a CSV File.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "admidio/admidio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-3302"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-23T21:46:18Z",
"nvd_published_at": "2023-06-23T13:15:10Z",
"severity": "HIGH"
},
"details": "Admidio prior to 4.2.9 is vulnerable toImproper Neutralization of Formula Elements in a CSV File.",
"id": "GHSA-hm75-8w6h-4f8f",
"modified": "2023-06-30T20:17:57Z",
"published": "2023-06-23T15:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3302"
},
{
"type": "WEB",
"url": "https://github.com/admidio/admidio/commit/c87a7074a1a73c4851263060afd76aa4d5b6415f"
},
{
"type": "PACKAGE",
"url": "https://github.com/admidio/admidio"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/5e18619f-8379-464a-aad2-65883bb4e81a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Admidio Improper Neutralization of Formula Elements in a CSV File vulnerability"
}
GHSA-HP3G-5VJ7-7HGC
Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2024-05-20 21:31The TablePress plugin 1.9.2 for WordPress allows tablepress[data] CSV injection by Editor users.
{
"affected": [],
"aliases": [
"CVE-2019-20180"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-09T21:15:00Z",
"severity": "MODERATE"
},
"details": "The TablePress plugin 1.9.2 for WordPress allows tablepress[data] CSV injection by Editor users.",
"id": "GHSA-hp3g-5vj7-7hgc",
"modified": "2024-05-20T21:31:09Z",
"published": "2022-05-24T17:05:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20180"
},
{
"type": "WEB",
"url": "https://medium.com/%40Pablo0xSantiago/cve-2019-20180-tablepress-version-1-9-2-csv-injection-65309fcc8be8"
},
{
"type": "WEB",
"url": "https://medium.com/@Pablo0xSantiago/cve-2019-20180-tablepress-version-1-9-2-csv-injection-65309fcc8be8"
},
{
"type": "WEB",
"url": "https://wordpress.org/support/topic/security-issue-cve-2019-20180-for-tablepress/#post-16282996"
},
{
"type": "WEB",
"url": "https://wpvulndb.com/vulnerabilities/10016"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HRFW-PWJG-7PRC
Vulnerability from github – Published: 2023-12-29 06:30 – Updated: 2024-08-27 21:31CSV Injection vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows attackers to obtain sensitive information via the User Name field.
{
"affected": [],
"aliases": [
"CVE-2023-31296"
],
"database_specific": {
"cwe_ids": [
"CWE-1236",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-29T04:15:09Z",
"severity": "MODERATE"
},
"details": "CSV Injection vulnerability in Sesami Cash Point \u0026 Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows attackers to obtain sensitive information via the User Name field.",
"id": "GHSA-hrfw-pwjg-7prc",
"modified": "2024-08-27T21:31:10Z",
"published": "2023-12-29T06:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31296"
},
{
"type": "WEB",
"url": "https://herolab.usd.de/en/security-advisories/usd-2022-0054"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HVWW-M87W-QFPC
Vulnerability from github – Published: 2025-12-08 12:30 – Updated: 2025-12-08 12:30A security vulnerability has been detected in SourceCodester Inventory Management System 1.0. The affected element is an unknown function of the component SVC Report Export. Such manipulation leads to csv injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-14229"
],
"database_specific": {
"cwe_ids": [
"CWE-1236",
"CWE-74"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-08T11:15:48Z",
"severity": "MODERATE"
},
"details": "A security vulnerability has been detected in SourceCodester Inventory Management System 1.0. The affected element is an unknown function of the component SVC Report Export. Such manipulation leads to csv injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.",
"id": "GHSA-hvww-m87w-qfpc",
"modified": "2025-12-08T12:30:26Z",
"published": "2025-12-08T12:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14229"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.334671"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.334671"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.702119"
},
{
"type": "WEB",
"url": "https://www.notion.so/Spreadsheet-Formula-Injection-Leading-to-Remote-Code-Execution-in-SourceCodester-Inventory-Managemen-2b723917db8c80dfaaabe2b74d6f283d?source=copy_link"
},
{
"type": "WEB",
"url": "https://www.sourcecodester.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No CAPEC attack patterns related to this CWE.