VYPR

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

BaseIncomplete

Description

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (117)

page 2 of 6
  • CVE-2018-11526HigJun 19, 2018
    risk 0.54cvss 7.8epss 0.05

    The plugin "WordPress Comments Import & Export" for WordPress (v2.0.4 and before) is vulnerable to CSV Injection.

  • CVE-2018-10504HigApr 27, 2018
    risk 0.54cvss 7.8epss 0.05

    The WebDorado "Form Maker by WD" plugin before 1.12.24 for WordPress allows CSV injection.

  • CVE-2018-16275HigAug 31, 2018
    risk 0.51cvss 7.8epss 0.01

    OPSWAT MetaDefender before v4.11.2 allows CSV injection.

  • CVE-2022-41616HigNov 7, 2023
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in Kaushik Kalathiya Export Users Data CSV.This issue affects Export Users Data CSV: from n/a through 2.1.

  • CVE-2018-16651HigSep 7, 2018
    risk 0.47cvss 7.2epss 0.01

    The admin backend in phpMyFAQ before 2.9.11 allows CSV injection in reports.

  • CVE-2018-11525HigJun 19, 2018
    risk 0.47cvss 7.8epss 0.05

    The plugin "Advanced Order Export For WooCommerce" for WordPress (v1.5.4 and before) is vulnerable to CSV Injection.

  • CVE-2018-9137MedApr 19, 2018
    risk 0.47cvss 6.8epss 0.03

    Open-AudIT before 2.2 has CSV Injection.

  • CVE-2025-52612HigJun 4, 2026
    risk 0.46cvss 7.1epss 0.00

    HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .

  • CVE-2025-58855HigSep 5, 2025
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Formula Elements in a CSV File vulnerability in Denis V (Artprima) AP HoneyPot WordPress Plugin ap-honeypot allows Reflected XSS.This issue affects AP HoneyPot WordPress Plugin: from n/a through <= 1.4.

  • CVE-2022-41791MedNov 17, 2022
    risk 0.44cvss 6.8epss 0.01

    Auth. (subscriber+) CSV Injection vulnerability in ProfileGrid plugin <= 5.1.6 on WordPress.

  • CVE-2025-13133MedNov 18, 2025
    risk 0.43cvss 6.6epss 0.00

    The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted…

  • CVE-2026-24447MedFeb 4, 2026
    risk 0.42cvss 6.5epss 0.00

    If a malformed data is input to the affected product, a CSV file downloaded from the affected product may contain such malformed data. When a victim user download and open such a CSV file, the embedded code may be executed in the user's environment. Note that Movable Type 7…

  • CVE-2025-60852MedOct 23, 2025
    risk 0.42cvss 6.5epss 0.00

    A CSV Injection vulnerability existed in Instant Developer Foundation versions prior to 25.0.9600. Applications built with affected versions of the framework did not properly sanitize user-controlled input before including it in CSV exports. This issue could lead to code…

  • CVE-2022-3026MedSep 6, 2022
    risk 0.42cvss 6.5epss 0.01

    The WP Users Exporter plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.2 via the 'Export Users' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into profile information like…

  • CVE-2025-12249MedOct 27, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was detected in Axosoft Scrum and Bug Tracking 22.1.1.11545. The impacted element is an unknown function of the component Edit Ticket Page. Performing manipulation of the argument Title results in csv injection. It is possible to initiate the attack remotely. The…

  • CVE-2025-9241MedAug 20, 2025
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in elunez eladmin up to 2.7. This affects the function exportUser. This manipulation causes csv injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited.

  • CVE-2023-5527HigJun 18, 2024
    risk 0.41cvss 7.4epss 0.00

    The Business Directory Plugin plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 6.4.3 via the class-csv-exporter.php file. This allows authenticated attackers, with author-level permissions and above, to embed untrusted input into CSV files…

  • CVE-2025-11498MedOct 14, 2025
    risk 0.40cvss 6.1epss 0.00

    An Improper Neutralization of Formula Elements in a CSV File vulnerability exists in System Diagnostics Manager (SDM) of B&R Automation Runtime versions before 6.4 enabling a remote attacker to inject formula data into a generated CSV file. The exploitation of this vulnerability…

  • CVE-2022-46809MedNov 7, 2023
    risk 0.40cvss 6.1epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in WPDeveloper ReviewX – Multi-criteria Rating & Reviews for WooCommerce.This issue affects ReviewX – Multi-criteria Rating & Reviews for WooCommerce: from n/a through 1.6.7.

  • CVE-2022-46803MedNov 7, 2023
    risk 0.40cvss 6.1epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in Noptin Newsletter Simple Newsletter Plugin – Noptin.This issue affects Simple Newsletter Plugin – Noptin: from n/a through 1.9.5.