CVE-2021-41824
Description
Craft CMS before 3.7.14 allows CSV injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Craft CMS before 3.7.14 allows CSV injection via exported data, potentially leading to code execution when opened in spreadsheet software.
Vulnerability
Craft CMS versions before 3.7.14 contain a CSV injection vulnerability in the export functionality. When generating CSV files, fields starting with characters such as =, -, +, or @ are not sanitized, allowing malicious spreadsheet formulas to be embedded. This affects all versions prior to 3.7.14. [1][2][4]
Exploitation
An attacker with the ability to influence data that is exported to CSV, such as content authors, can inject formulas beginning with the suspect characters. When the exported CSV is opened in spreadsheet software like Microsoft Excel or LibreOffice Calc, the formulas execute automatically, potentially allowing arbitrary code execution on the victim's machine. [4]
Impact
Successful exploitation can lead to remote code execution on the user's system with the privileges of the user opening the file. This compromises the confidentiality, integrity, and availability of the victim's data. [1][2]
Mitigation
The vulnerability is fixed in Craft CMS version 3.7.14, released on 2021-09-28. Users should upgrade to 3.7.14 or later. No official workaround is available. [2][4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 3.4.0, < 3.7.14 | 3.7.14 |
Affected products
2- Craft CMS/Craft CMSdescription
Patches
1c9cb2225f1b9Fixed a potential CSV injection vulnerability.
2 files changed · +11 −0
CHANGELOG.md+3 −0 modified@@ -28,6 +28,9 @@ - Fixed a bug where duplicated entries that were created via an “Applying new propagation method” job weren’t getting positioned correctly based on the original entries’ structure. ([#9782](https://github.com/craftcms/cms/issues/9782)) - Fixed a bug where unpublished drafts could disappear after clicking “Create entry” if the URI could not be made unique. ([#9873](https://github.com/craftcms/cms/issues/9873)) +### Security +- Fixed a potential CSV injection vulnerability. + ## 3.7.13 - 2021-09-14 ### Added
src/web/CsvResponseFormatter.php+8 −0 modified@@ -83,10 +83,18 @@ public function format($response) fputcsv($fp, $headers, ','); } + $suspectCharacters = ['=', '-', '+', '@']; + foreach ($data as $row) { foreach ($row as &$field) { if (is_scalar($field)) { $field = (string)$field; + + // Guard against CSV injection attacks + // https://github.com/thephpleague/csv/issues/268 + if ($field && $field !== '' && in_array($field[0], $suspectCharacters)) { + $field = "\t$field"; + } } else { $field = Json::encode($field); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-h7vq-5qgw-jwwqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41824ghsaADVISORY
- github.com/craftcms/cms/blob/develop/CHANGELOG.mdghsax_refsource_MISCWEB
- github.com/craftcms/cms/commit/c9cb2225f1b908fb1e8401d401219228634b26b2ghsaWEB
- github.com/craftcms/cms/security/advisories/GHSA-h7vq-5qgw-jwwqghsax_refsource_MISCWEB
- twitter.com/craftcmsupdates/status/1442928690145366018ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.