CWE-1236
AllowedImproper Neutralization of Formula Elements in a CSV File
Abstraction: Base · Status: Incomplete
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
401 vulnerabilities reference this CWE, most recent first.
GHSA-VWQW-277X-QQ2J
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2023-02-24 21:30The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnerable to CSV Injection as it allows for injecting malicious code into a pop-up window. Successful exploitation grants an attacker with a right to execute malicious code on the administrator's computer through Excel functions as the plugin does not sanitize the user's input and allows insertion of any text.
{
"affected": [],
"aliases": [
"CVE-2019-11872"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-29T19:29:00Z",
"severity": "HIGH"
},
"details": "The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnerable to CSV Injection as it allows for injecting malicious code into a pop-up window. Successful exploitation grants an attacker with a right to execute malicious code on the administrator\u0027s computer through Excel functions as the plugin does not sanitize the user\u0027s input and allows insertion of any text.",
"id": "GHSA-vwqw-277x-qq2j",
"modified": "2023-02-24T21:30:19Z",
"published": "2022-05-24T16:46:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11872"
},
{
"type": "WEB",
"url": "https://blog.reddy.io/2019/05/24/reddy-solutions-found-a-csv-injection-vulnerability-in-hustle-wordpress-plugin"
},
{
"type": "WEB",
"url": "https://blog.reddy.io/category/cybersecurity"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/wordpress-popup/#developers"
},
{
"type": "WEB",
"url": "https://wpvulndb.com/vulnerabilities/9326"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W3W2-8HQ7-8FMW
Vulnerability from github – Published: 2022-11-21 12:30 – Updated: 2022-11-23 18:30The Easy Digital Downloads WordPress plugin before 3.1.0.2 does not validate data when its output in a CSV file, which could lead to CSV injection.
{
"affected": [],
"aliases": [
"CVE-2022-3600"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-21T11:15:00Z",
"severity": "CRITICAL"
},
"details": "The Easy Digital Downloads WordPress plugin before 3.1.0.2 does not validate data when its output in a CSV file, which could lead to CSV injection.",
"id": "GHSA-w3w2-8hq7-8fmw",
"modified": "2022-11-23T18:30:28Z",
"published": "2022-11-21T12:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3600"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/16e2d970-19d0-42d1-8fb1-e7cb14ace1d0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W8PH-83JM-G88M
Vulnerability from github – Published: 2024-03-21 03:36 – Updated: 2024-03-21 03:36IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 259354.
{
"affected": [],
"aliases": [
"CVE-2023-35899"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-21T02:47:58Z",
"severity": "HIGH"
},
"details": "IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 259354.",
"id": "GHSA-w8ph-83jm-g88m",
"modified": "2024-03-21T03:36:45Z",
"published": "2024-03-21T03:36:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35899"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/259354"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7030357"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W9QH-PVX2-RHMH
Vulnerability from github – Published: 2022-06-03 00:00 – Updated: 2022-06-14 00:00PowerStore SW v2.1.1.0 supports the option to export data to either a CSV or an XLSX file. The data is taken as is, without any validation or sanitization. It allows a malicious, authenticated user to inject payloads that might get interpreted as formulas by the corresponding spreadsheet application that is being used to open the CSV/XLSX file.
{
"affected": [],
"aliases": [
"CVE-2022-26867"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-02T21:15:00Z",
"severity": "HIGH"
},
"details": "PowerStore SW v2.1.1.0 supports the option to export data to either a CSV or an XLSX file. The data is taken as is, without any validation or sanitization. It allows a malicious, authenticated user to inject payloads that might get interpreted as formulas by the corresponding spreadsheet application that is being used to open the CSV/XLSX file.",
"id": "GHSA-w9qh-pvx2-rhmh",
"modified": "2022-06-14T00:00:29Z",
"published": "2022-06-03T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26867"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000196367"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WC29-X275-PGCQ
Vulnerability from github – Published: 2022-11-09 12:00 – Updated: 2022-11-09 19:02CSV Injection vulnerability in Activity Log Team Activity Log <= 2.8.3 on WordPress.
{
"affected": [],
"aliases": [
"CVE-2022-27858"
],
"database_specific": {
"cwe_ids": [
"CWE-1236",
"CWE-74"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-08T19:15:00Z",
"severity": "CRITICAL"
},
"details": "CSV Injection vulnerability in Activity Log Team Activity Log \u003c= 2.8.3 on WordPress.",
"id": "GHSA-wc29-x275-pgcq",
"modified": "2022-11-09T19:02:26Z",
"published": "2022-11-09T12:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27858"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/aryo-activity-log/wordpress-activity-log-plugin-2-8-3-csv-injection-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/aryo-activity-log/#developers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WC34-P4FH-WR9Q
Vulnerability from github – Published: 2025-07-31 21:31 – Updated: 2026-01-12 09:30An issue was discovered in Archer Technology RSA Archer 6.11.00204.10014 allowing attackers to execute arbitrary code via crafted system inputs that would be exported into the CSV and be executed after the user opened the file with compatible applications.
{
"affected": [],
"aliases": [
"CVE-2025-50572"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-31T20:15:43Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Archer Technology RSA Archer 6.11.00204.10014 allowing attackers to execute arbitrary code via crafted system inputs that would be exported into the CSV and be executed after the user opened the file with compatible applications.",
"id": "GHSA-wc34-p4fh-wr9q",
"modified": "2026-01-12T09:30:30Z",
"published": "2025-07-31T21:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50572"
},
{
"type": "WEB",
"url": "https://github.com/shorooq-hummdi/Archer-csv-injection-command-exec/blob/main/README.md"
},
{
"type": "WEB",
"url": "https://www.archerirm.community/s/blogs/formula-injection-into-csv-files-vulnerability-in-rsa-archer-6-1-x-and-higher-MCOCQFO3WCQBCCHMKNC74JGSFWQY"
},
{
"type": "WEB",
"url": "http://archer.com"
},
{
"type": "WEB",
"url": "http://rsa.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WHXV-P57P-V97W
Vulnerability from github – Published: 2022-09-25 00:00 – Updated: 2022-09-28 00:00Authenticated (author+) CSV Injection vulnerability in Export Post Info plugin <= 1.2.0 at WordPress.
{
"affected": [],
"aliases": [
"CVE-2022-38061"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-23T15:15:00Z",
"severity": "MODERATE"
},
"details": "Authenticated (author+) CSV Injection vulnerability in Export Post Info plugin \u003c= 1.2.0 at WordPress.",
"id": "GHSA-whxv-p57p-v97w",
"modified": "2022-09-28T00:00:24Z",
"published": "2022-09-25T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38061"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/export-post-info/wordpress-export-post-info-plugin-1-2-0-authenticated-csv-injection-vulnerability/_s_id=cve"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/export-post-info/#developers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WP6X-2JJ2-VXHW
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export.
{
"affected": [],
"aliases": [
"CVE-2021-27020"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-30T18:15:00Z",
"severity": "HIGH"
},
"details": "Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export.",
"id": "GHSA-wp6x-2jj2-vxhw",
"modified": "2022-05-24T19:12:28Z",
"published": "2022-05-24T19:12:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27020"
},
{
"type": "WEB",
"url": "https://puppet.com/security/cve/CVE-2021-27020"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WP9X-2QX4-MFCG
Vulnerability from github – Published: 2022-10-25 19:00 – Updated: 2022-10-26 12:00The Post to CSV by BestWebSoft WordPress plugin through 1.4.0 does not properly escape fields when exporting data as CSV, leading to a CSV injection
{
"affected": [],
"aliases": [
"CVE-2022-3393"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-25T17:15:00Z",
"severity": "CRITICAL"
},
"details": "The Post to CSV by BestWebSoft WordPress plugin through 1.4.0 does not properly escape fields when exporting data as CSV, leading to a CSV injection",
"id": "GHSA-wp9x-2qx4-mfcg",
"modified": "2022-10-26T12:00:30Z",
"published": "2022-10-25T19:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3393"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/689b4c42-c516-4c57-8ec7-3a6f12a3594e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WQ79-2F22-34W5
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34IBM FileNet Content Manager 5.5.4 and 5.5.5 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 188736.
{
"affected": [],
"aliases": [
"CVE-2020-4759"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-09T21:15:00Z",
"severity": "HIGH"
},
"details": "IBM FileNet Content Manager 5.5.4 and 5.5.5 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 188736.",
"id": "GHSA-wq79-2f22-34w5",
"modified": "2022-05-24T17:34:05Z",
"published": "2022-05-24T17:34:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4759"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/188736"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6336917"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
No CAPEC attack patterns related to this CWE.