CWE-1236
Improper Neutralization of Formula Elements in a CSV File
Description
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (117)
page 3 of 6| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-46801 | Med | 0.40 | 6.1 | 0.01 | Nov 7, 2023 | Improper Neutralization of Formula Elements in a CSV File vulnerability in Paul Ryley Site Reviews.This issue affects Site Reviews: from n/a through 6.2.0. | ||
| CVE-2022-45370 | Med | 0.40 | 6.1 | 0.01 | Nov 7, 2023 | Improper Neutralization of Formula Elements in a CSV File vulnerability in WebToffee WordPress Comments Import & Export.This issue affects WordPress Comments Import & Export: from n/a through 2.3.1. | ||
| CVE-2022-46802 | Med | 0.40 | 6.1 | 0.01 | Nov 7, 2023 | Improper Neutralization of Formula Elements in a CSV File vulnerability in WebToffee Product Reviews Import Export for WooCommerce.This issue affects Product Reviews Import Export for WooCommerce: from n/a through 1.4.8. | ||
| CVE-2022-45357 | Med | 0.40 | 6.1 | 0.01 | Nov 7, 2023 | Improper Neutralization of Formula Elements in a CSV File vulnerability in Lenderd 1003 Mortgage Application.This issue affects 1003 Mortgage Application: from n/a through 1.75. | ||
| CVE-2026-35157 | Med | 0.38 | 5.8 | 0.00 | May 11, 2026 | Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper neutralization of formula elements in a CSV File vulnerability in the UI. An unauthenticated attacker with remote access could potentially exploit this vulnerability,… | ||
| CVE-2022-44738 | Med | 0.38 | 5.8 | 0.01 | Nov 7, 2023 | Improper Neutralization of Formula Elements in a CSV File vulnerability in Patrick Robrecht Posts and Users Stats.This issue affects Posts and Users Stats: from n/a through 1.1.3. | ||
| CVE-2022-42882 | Med | 0.38 | 5.8 | 0.01 | Nov 7, 2023 | Improper Neutralization of Formula Elements in a CSV File vulnerability in Shambix Simple CSV/XLS Exporter.This issue affects Simple CSV/XLS Exporter: from n/a through 1.5.8. | ||
| CVE-2022-38702 | Med | 0.38 | 5.8 | 0.01 | Nov 7, 2023 | Improper Neutralization of Formula Elements in a CSV File vulnerability in Nakashima Masahiro WP CSV Exporter.This issue affects WP CSV Exporter: from n/a through 2.0. | ||
| CVE-2022-46821 | Med | 0.38 | 5.8 | 0.01 | Nov 7, 2023 | Improper Neutralization of Formula Elements in a CSV File vulnerability in Jackmail & Sarbacane Emails & Newsletters with Jackmail.This issue affects Emails & Newsletters with Jackmail: from n/a through 1.2.22. | ||
| CVE-2022-46804 | Med | 0.38 | 5.8 | 0.01 | Nov 7, 2023 | Improper Neutralization of Formula Elements in a CSV File vulnerability in Narola Infotech Solutions LLP Export Users Data Distinct.This issue affects Export Users Data Distinct: from n/a through 1.3. | ||
| CVE-2022-45348 | Med | 0.38 | 5.8 | 0.01 | Nov 7, 2023 | Improper Neutralization of Formula Elements in a CSV File vulnerability in anmari amr users.This issue affects amr users: from n/a through 4.59.4. | ||
| CVE-2022-45078 | Med | 0.38 | 5.9 | 0.01 | Nov 7, 2023 | Improper Neutralization of Formula Elements in a CSV File vulnerability in Solwin Infotech User Blocker.This issue affects User Blocker: from n/a through 1.5.5. | ||
| CVE-2022-47442 | Med | 0.38 | 5.8 | 0.01 | Nov 7, 2023 | Improper Neutralization of Formula Elements in a CSV File vulnerability in AyeCode Ltd UsersWP.This issue affects UsersWP: from n/a through 1.2.3.9. | ||
| CVE-2022-4034 | Med | 0.38 | 5.8 | 0.01 | Nov 29, 2022 | The Appointment Hour Booking Plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.3.72. This makes it possible for unauthenticated attackers to embed untrusted input into content during booking creation that may be exported as a CSV file when a… | ||
| CVE-2026-9673 | Med | 0.37 | 6.8 | 0.00 | May 28, 2026 | Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications. | ||
| CVE-2026-42267 | Med | 0.37 | 5.7 | 0.00 | May 8, 2026 | Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX,… | ||
| CVE-2025-11279 | Med | 0.36 | 5.5 | 0.00 | Oct 5, 2025 | A vulnerability was detected in Axosoft Scrum and Bug Tracking 22.1.1.11545. This issue affects some unknown processing of the component Add Work Item Page. The manipulation of the argument Title results in csv injection. The attack can be launched remotely. The exploit is now… | ||
| CVE-2026-27644 | Med | 0.35 | 6.5 | 0.00 | May 5, 2026 | Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas… | ||
| CVE-2025-52386 | Med | 0.35 | 5.4 | 0.00 | Aug 13, 2025 | CycloneDX Sunshine v0.9 is vulnerable to CSV Formula Injection via a crafted JSON file | ||
| CVE-2023-41798 | Med | 0.33 | 5.1 | 0.01 | Nov 7, 2023 | Improper Neutralization of Formula Elements in a CSV File vulnerability in wpWax Directorist – WordPress Business Directory Plugin with Classified Ads Listing.This issue affects Directorist – WordPress Business Directory Plugin with Classified Ads Listings: from n/a through… |
- risk 0.40cvss 6.1epss 0.01
Improper Neutralization of Formula Elements in a CSV File vulnerability in Paul Ryley Site Reviews.This issue affects Site Reviews: from n/a through 6.2.0.
- risk 0.40cvss 6.1epss 0.01
Improper Neutralization of Formula Elements in a CSV File vulnerability in WebToffee WordPress Comments Import & Export.This issue affects WordPress Comments Import & Export: from n/a through 2.3.1.
- risk 0.40cvss 6.1epss 0.01
Improper Neutralization of Formula Elements in a CSV File vulnerability in WebToffee Product Reviews Import Export for WooCommerce.This issue affects Product Reviews Import Export for WooCommerce: from n/a through 1.4.8.
- risk 0.40cvss 6.1epss 0.01
Improper Neutralization of Formula Elements in a CSV File vulnerability in Lenderd 1003 Mortgage Application.This issue affects 1003 Mortgage Application: from n/a through 1.75.
- risk 0.38cvss 5.8epss 0.00
Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper neutralization of formula elements in a CSV File vulnerability in the UI. An unauthenticated attacker with remote access could potentially exploit this vulnerability,…
- risk 0.38cvss 5.8epss 0.01
Improper Neutralization of Formula Elements in a CSV File vulnerability in Patrick Robrecht Posts and Users Stats.This issue affects Posts and Users Stats: from n/a through 1.1.3.
- risk 0.38cvss 5.8epss 0.01
Improper Neutralization of Formula Elements in a CSV File vulnerability in Shambix Simple CSV/XLS Exporter.This issue affects Simple CSV/XLS Exporter: from n/a through 1.5.8.
- risk 0.38cvss 5.8epss 0.01
Improper Neutralization of Formula Elements in a CSV File vulnerability in Nakashima Masahiro WP CSV Exporter.This issue affects WP CSV Exporter: from n/a through 2.0.
- risk 0.38cvss 5.8epss 0.01
Improper Neutralization of Formula Elements in a CSV File vulnerability in Jackmail & Sarbacane Emails & Newsletters with Jackmail.This issue affects Emails & Newsletters with Jackmail: from n/a through 1.2.22.
- risk 0.38cvss 5.8epss 0.01
Improper Neutralization of Formula Elements in a CSV File vulnerability in Narola Infotech Solutions LLP Export Users Data Distinct.This issue affects Export Users Data Distinct: from n/a through 1.3.
- risk 0.38cvss 5.8epss 0.01
Improper Neutralization of Formula Elements in a CSV File vulnerability in anmari amr users.This issue affects amr users: from n/a through 4.59.4.
- risk 0.38cvss 5.9epss 0.01
Improper Neutralization of Formula Elements in a CSV File vulnerability in Solwin Infotech User Blocker.This issue affects User Blocker: from n/a through 1.5.5.
- risk 0.38cvss 5.8epss 0.01
Improper Neutralization of Formula Elements in a CSV File vulnerability in AyeCode Ltd UsersWP.This issue affects UsersWP: from n/a through 1.2.3.9.
- risk 0.38cvss 5.8epss 0.01
The Appointment Hour Booking Plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.3.72. This makes it possible for unauthenticated attackers to embed untrusted input into content during booking creation that may be exported as a CSV file when a…
- risk 0.37cvss 6.8epss 0.00
Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.
- risk 0.37cvss 5.7epss 0.00
Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX,…
- risk 0.36cvss 5.5epss 0.00
A vulnerability was detected in Axosoft Scrum and Bug Tracking 22.1.1.11545. This issue affects some unknown processing of the component Add Work Item Page. The manipulation of the argument Title results in csv injection. The attack can be launched remotely. The exploit is now…
- risk 0.35cvss 6.5epss 0.00
Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas…
- risk 0.35cvss 5.4epss 0.00
CycloneDX Sunshine v0.9 is vulnerable to CSV Formula Injection via a crafted JSON file
- risk 0.33cvss 5.1epss 0.01
Improper Neutralization of Formula Elements in a CSV File vulnerability in wpWax Directorist – WordPress Business Directory Plugin with Classified Ads Listing.This issue affects Directorist – WordPress Business Directory Plugin with Classified Ads Listings: from n/a through…