Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

401 vulnerabilities reference this CWE, most recent first.

GHSA-WR7V-H9P2-5FR6

Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 21:33
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in Icegram Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce.This issue affects Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce: from n/a through 5.5.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-45810"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T17:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Icegram Icegram Express \u2013 Email Marketing, Newsletters and Automation for WordPress \u0026 WooCommerce.This issue affects Icegram Express \u2013 Email Marketing, Newsletters and Automation for WordPress \u0026 WooCommerce: from n/a through 5.5.2.",
  "id": "GHSA-wr7v-h9p2-5fr6",
  "modified": "2026-04-28T21:33:02Z",
  "published": "2023-11-07T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45810"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/email-subscribers/vulnerability/wordpress-icegram-express-email-subscribers-newsletters-and-marketing-automation-plugin-plugin-5-5-2-csv-injection?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/email-subscribers/wordpress-icegram-express-email-subscribers-newsletters-and-marketing-automation-plugin-plugin-5-5-2-csv-injection?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WX87-PJ46-74F6

Vulnerability from github – Published: 2022-06-08 00:00 – Updated: 2022-06-15 00:00
VLAI
Details

A vulnerability, which was classified as critical, has been found in SevOne Network Management System up to 5.7.2.22. This issue affects the Device Manager Page. An injection leads to privilege escalation. The attack may be initiated remotely.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36531"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-07T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability, which was classified as critical, has been found in SevOne Network Management System up to 5.7.2.22. This issue affects the Device Manager Page. An injection leads to privilege escalation. The attack may be initiated remotely.",
  "id": "GHSA-wx87-pj46-74f6",
  "modified": "2022-06-15T00:00:23Z",
  "published": "2022-06-08T00:00:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36531"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.162263"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2020/Oct/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X232-X9VJ-7XWQ

Vulnerability from github – Published: 2023-08-28 03:30 – Updated: 2024-04-04 07:13
VLAI
Details

IBM InfoSphere Information Server 11.7 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 244368.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-28T01:15:07Z",
    "severity": "HIGH"
  },
  "details": "IBM InfoSphere Information Server 11.7 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents.  IBM X-Force ID:  244368.",
  "id": "GHSA-x232-x9vj-7xwq",
  "modified": "2024-04-04T07:13:44Z",
  "published": "2023-08-28T03:30:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22877"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/244368"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6988623"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X2H4-97PF-V2RR

Vulnerability from github – Published: 2026-01-27 18:32 – Updated: 2026-01-27 18:32
VLAI
Details

Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in spreadsheet applications.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36941"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-27T16:16:11Z",
    "severity": "MODERATE"
  },
  "details": "Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in spreadsheet applications.",
  "id": "GHSA-x2h4-97pf-v2rr",
  "modified": "2026-01-27T18:32:13Z",
  "published": "2026-01-27T18:32:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36941"
    },
    {
      "type": "WEB",
      "url": "https://github.com/guelfoweb/knock"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/49342"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/knockpy-csv-injection"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-X2V3-9P22-W3X6

Vulnerability from github – Published: 2025-12-18 00:34 – Updated: 2026-01-02 15:47
VLAI
Summary
phpMyFAQ contains a CSV injection vulnerability
Details

phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV file.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpmyfaq/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-53929"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-02T15:47:39Z",
    "nvd_published_at": "2025-12-17T23:15:52Z",
    "severity": "MODERATE"
  },
  "details": "phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like \u0027calc|a!z|\u0027 to trigger code execution when an administrator exports user data as a CSV file.",
  "id": "GHSA-x2v3-9p22-w3x6",
  "modified": "2026-01-02T15:47:39Z",
  "published": "2025-12-18T00:34:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53929"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/51399"
    },
    {
      "type": "WEB",
      "url": "https://www.phpmyfaq.de"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/phpmyfaq-csv-injection-via-user-profile-export"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "phpMyFAQ contains a CSV injection vulnerability"
}

GHSA-X53X-G43Q-33F7

Vulnerability from github – Published: 2026-06-04 12:30 – Updated: 2026-06-04 12:30
VLAI
Details

HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-52612"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-04T12:16:24Z",
    "severity": "HIGH"
  },
  "details": "HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .",
  "id": "GHSA-x53x-g43q-33f7",
  "modified": "2026-06-04T12:30:26Z",
  "published": "2026-06-04T12:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52612"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131041"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X63R-X798-GV8P

Vulnerability from github – Published: 2022-05-24 17:11 – Updated: 2022-05-24 17:11
VLAI
Details

admin/include/operations.php (via admin/email-harvester.php) in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject untrusted input inside CSV files via the POST parameter data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-10460"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236",
      "CWE-74"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-12T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "admin/include/operations.php (via admin/email-harvester.php) in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject untrusted input inside CSV files via the POST parameter data.",
  "id": "GHSA-x63r-x798-gv8p",
  "modified": "2022-05-24T17:11:14Z",
  "published": "2022-05-24T17:11:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10460"
    },
    {
      "type": "WEB",
      "url": "https://antoniocannito.it/phpkb1#csv-injection-cve-2020-10460"
    },
    {
      "type": "WEB",
      "url": "http://antoniocannito.it/?p=137#csvinj"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X6C4-GW3R-222G

Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2022-07-30 00:00
VLAI
Details

The Exports and Reports WordPress plugin before 0.9.2 does not sanitize and validate data when generating the CSV to export, which could lead to a CSV injection, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1539"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-25T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Exports and Reports WordPress plugin before 0.9.2 does not sanitize and validate data when generating the CSV to export, which could lead to a CSV injection, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks.",
  "id": "GHSA-x6c4-gw3r-222g",
  "modified": "2022-07-30T00:00:35Z",
  "published": "2022-07-26T00:01:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1539"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/50f70927-9677-4ba4-a388-0a41ed356523"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X7G4-2JWR-PR3R

Vulnerability from github – Published: 2025-11-28 15:30 – Updated: 2025-11-28 18:30
VLAI
Details

CSV formula injection vulnerability in HCL Technologies Ltd. Unica 12.0.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-51735"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-28T15:16:01Z",
    "severity": "HIGH"
  },
  "details": "CSV formula injection vulnerability in HCL Technologies Ltd. Unica 12.0.0.",
  "id": "GHSA-x7g4-2jwr-pr3r",
  "modified": "2025-11-28T18:30:23Z",
  "published": "2025-11-28T15:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51735"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/ikpehlivan/4361fa808e04d884e4771be88e891ec2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X963-3P8C-J4M6

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2024-03-21 03:34
VLAI
Details

A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33256"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-09T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports \"User Attempts Audit Report\" as CSV file.",
  "id": "GHSA-x963-3p8c-j4m6",
  "modified": "2024-03-21T03:34:05Z",
  "published": "2022-05-24T19:10:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33256"
    },
    {
      "type": "WEB",
      "url": "https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injection"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.