Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-RQXC-9P8H-XQGQ

Vulnerability from github – Published: 2023-12-24 06:30 – Updated: 2023-12-28 18:45
VLAI
Summary
Duplicate Advisory: ActiveAdmin vulnerable to CSV injection
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-xhvv-3jww-c487. This link is maintained to preserve external references.

Original Description

csv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 allows CSV injection.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "activeadmin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-27T15:07:14Z",
    "nvd_published_at": "2023-12-24T04:15:07Z",
    "severity": "HIGH"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-xhvv-3jww-c487. This link is maintained to preserve external references.\n\n## Original Description\ncsv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 allows CSV injection.",
  "id": "GHSA-rqxc-9p8h-xqgq",
  "modified": "2023-12-28T18:45:19Z",
  "published": "2023-12-24T06:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51763"
    },
    {
      "type": "WEB",
      "url": "https://github.com/activeadmin/activeadmin/pull/8161"
    },
    {
      "type": "WEB",
      "url": "https://github.com/activeadmin/activeadmin/commit/697be2b183491beadc8f0b7d8b5bfb44f2387909"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/activeadmin/activeadmin"
    },
    {
      "type": "WEB",
      "url": "https://github.com/activeadmin/activeadmin/releases/tag/v3.2.0"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-rqxc-9p8h-xqgq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activeadmin/CVE-2023-51763.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: ActiveAdmin vulnerable to CSV injection",
  "withdrawn": "2023-12-28T18:45:19Z"
}

GHSA-RW22-Q8XF-9QV3

Vulnerability from github – Published: 2022-05-13 01:20 – Updated: 2022-05-13 01:20
VLAI
Details

Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as demonstrated by an "=cmd|' /C calc'!A0" payload during User Creation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7304"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-21T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as demonstrated by an \"=cmd|\u0027 /C calc\u0027!A0\" payload during User Creation.",
  "id": "GHSA-rw22-q8xf-9qv3",
  "modified": "2022-05-13T01:20:34Z",
  "published": "2022-05-13T01:20:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7304"
    },
    {
      "type": "WEB",
      "url": "https://websecnerd.blogspot.in/2018/01/tiki-wiki-cms-groupware-17.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RWR5-X2HJ-VJ32

Vulnerability from github – Published: 2025-01-14 15:30 – Updated: 2025-07-16 15:32
VLAI
Details

An improper neutralization of formula elements in a csv file in Fortinet FortiSOAR 7.2.1 through 7.4.1 allows attacker to execute unauthorized code or commands via manipulating csv file

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47572"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-14T14:15:32Z",
    "severity": "CRITICAL"
  },
  "details": "An improper neutralization of formula elements in a csv file in Fortinet FortiSOAR 7.2.1 through 7.4.1 allows attacker to execute unauthorized code or commands via manipulating csv file",
  "id": "GHSA-rwr5-x2hj-vj32",
  "modified": "2025-07-16T15:32:05Z",
  "published": "2025-01-14T15:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47572"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-210"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RX9F-2J6Q-9PFF

Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 15:30
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in Paul Ryley Site Reviews.This issue affects Site Reviews: from n/a through 6.2.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46801"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T17:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Paul Ryley Site Reviews.This issue affects Site Reviews: from n/a through 6.2.0.",
  "id": "GHSA-rx9f-2j6q-9pff",
  "modified": "2026-04-28T15:30:34Z",
  "published": "2023-11-07T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46801"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/site-reviews/vulnerability/wordpress-site-reviews-plugin-6-2-0-unauth-csv-injection-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/site-reviews/wordpress-site-reviews-plugin-6-2-0-unauth-csv-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5GW-52QQ-F42H

Vulnerability from github – Published: 2025-02-20 18:31 – Updated: 2025-11-04 21:31
VLAI
Details

PHPJabbers Bus Reservation System v1.1 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-51319"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-20T16:15:34Z",
    "severity": "HIGH"
  },
  "details": "PHPJabbers Bus Reservation System v1.1 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.",
  "id": "GHSA-v5gw-52qq-f42h",
  "modified": "2025-11-04T21:31:30Z",
  "published": "2025-02-20T18:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51319"
    },
    {
      "type": "WEB",
      "url": "https://packetstorm.news/files/id/176500"
    },
    {
      "type": "WEB",
      "url": "https://www.phpjabbers.com/bus-reservation-system/#sectionDemo"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/176500/PHPJabbers-Bus-Reservation-System-1.1-CSV-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V6V8-VP6W-87V3

Vulnerability from github – Published: 2023-12-29 06:30 – Updated: 2024-01-08 15:30
VLAI
Details

CSV Injection vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to obtain sensitive information via the User Profile field.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31295"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-29T06:15:43Z",
    "severity": "HIGH"
  },
  "details": "CSV Injection vulnerability in Sesami Cash Point \u0026 Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to obtain sensitive information via the User Profile field.",
  "id": "GHSA-v6v8-vp6w-87v3",
  "modified": "2024-01-08T15:30:26Z",
  "published": "2023-12-29T06:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31295"
    },
    {
      "type": "WEB",
      "url": "https://herolab.usd.de/en/security-advisories/usd-2022-0053"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VFRW-M2C3-HH6G

Vulnerability from github – Published: 2023-11-15 15:30 – Updated: 2026-04-28 15:30
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in AyeCode Ltd UsersWP.This issue affects UsersWP: from n/a through 1.2.3.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47442"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T15:15:10Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in AyeCode Ltd UsersWP.This issue affects UsersWP: from n/a through 1.2.3.9.",
  "id": "GHSA-vfrw-m2c3-hh6g",
  "modified": "2026-04-28T15:30:34Z",
  "published": "2023-11-15T15:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47442"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/userswp/vulnerability/wordpress-userswp-front-end-login-form-user-registration-user-profile-members-directory-plugin-for-wordpress-plugin-1-2-3-9-csv-injection?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/userswp/wordpress-userswp-front-end-login-form-user-registration-user-profile-members-directory-plugin-for-wordpress-plugin-1-2-3-9-csv-injection?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ22-XMP8-4MF5

Vulnerability from github – Published: 2022-12-12 18:30 – Updated: 2022-12-15 18:30
VLAI
Details

The WP CSV Exporter WordPress plugin before 1.3.7 does not properly escape the fields when exporting data as CSV, leading to a CSV injection vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3605"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-12T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "The WP CSV Exporter WordPress plugin before 1.3.7 does not properly escape the fields when exporting data as CSV, leading to a CSV injection vulnerability.",
  "id": "GHSA-vj22-xmp8-4mf5",
  "modified": "2022-12-15T18:30:17Z",
  "published": "2022-12-12T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3605"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/28ecdf61-e478-42c3-87c0-80a9912eadb2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VM5F-653C-MWV3

Vulnerability from github – Published: 2026-05-11 12:32 – Updated: 2026-05-11 12:32
VLAI
Details

Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper neutralization of formula elements in a CSV File vulnerability in the UI. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to remote execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-35157"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-11T10:16:13Z",
    "severity": "MODERATE"
  },
  "details": "Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper neutralization of formula elements in a CSV File vulnerability in the UI. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to remote execution.",
  "id": "GHSA-vm5f-653c-mwv3",
  "modified": "2026-05-11T12:32:31Z",
  "published": "2026-05-11T12:32:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35157"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000462117/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VM5P-28RV-RR68

Vulnerability from github – Published: 2022-11-21 18:30 – Updated: 2022-11-23 15:30
VLAI
Details

Sourcecodester Event Registration App v1.0 was discovered to contain multiple CSV injection vulnerabilities via the First Name, Contact and Remarks fields. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-44830"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-21T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Sourcecodester Event Registration App v1.0 was discovered to contain multiple CSV injection vulnerabilities via the First Name, Contact and Remarks fields. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file.",
  "id": "GHSA-vm5p-28rv-rr68",
  "modified": "2022-11-23T15:30:22Z",
  "published": "2022-11-21T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44830"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RashidKhanPathan/CVE-2022-44830"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.