VYPR

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

BaseIncomplete

Description

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (117)

page 3 of 6
  • CVE-2022-46801MedNov 7, 2023
    risk 0.40cvss 6.1epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in Paul Ryley Site Reviews.This issue affects Site Reviews: from n/a through 6.2.0.

  • CVE-2022-45370MedNov 7, 2023
    risk 0.40cvss 6.1epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in WebToffee WordPress Comments Import & Export.This issue affects WordPress Comments Import & Export: from n/a through 2.3.1.

  • CVE-2022-46802MedNov 7, 2023
    risk 0.40cvss 6.1epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in WebToffee Product Reviews Import Export for WooCommerce.This issue affects Product Reviews Import Export for WooCommerce: from n/a through 1.4.8.

  • CVE-2022-45357MedNov 7, 2023
    risk 0.40cvss 6.1epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in Lenderd 1003 Mortgage Application.This issue affects 1003 Mortgage Application: from n/a through 1.75.

  • CVE-2026-35157MedMay 11, 2026
    risk 0.38cvss 5.8epss 0.00

    Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper neutralization of formula elements in a CSV File vulnerability in the UI. An unauthenticated attacker with remote access could potentially exploit this vulnerability,…

  • CVE-2022-44738MedNov 7, 2023
    risk 0.38cvss 5.8epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in Patrick Robrecht Posts and Users Stats.This issue affects Posts and Users Stats: from n/a through 1.1.3.

  • CVE-2022-42882MedNov 7, 2023
    risk 0.38cvss 5.8epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in Shambix Simple CSV/XLS Exporter.This issue affects Simple CSV/XLS Exporter: from n/a through 1.5.8.

  • CVE-2022-38702MedNov 7, 2023
    risk 0.38cvss 5.8epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in Nakashima Masahiro WP CSV Exporter.This issue affects WP CSV Exporter: from n/a through 2.0.

  • CVE-2022-46821MedNov 7, 2023
    risk 0.38cvss 5.8epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in Jackmail & Sarbacane Emails & Newsletters with Jackmail.This issue affects Emails & Newsletters with Jackmail: from n/a through 1.2.22.

  • CVE-2022-46804MedNov 7, 2023
    risk 0.38cvss 5.8epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in Narola Infotech Solutions LLP Export Users Data Distinct.This issue affects Export Users Data Distinct: from n/a through 1.3.

  • CVE-2022-45348MedNov 7, 2023
    risk 0.38cvss 5.8epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in anmari amr users.This issue affects amr users: from n/a through 4.59.4.

  • CVE-2022-45078MedNov 7, 2023
    risk 0.38cvss 5.9epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in Solwin Infotech User Blocker.This issue affects User Blocker: from n/a through 1.5.5.

  • CVE-2022-47442MedNov 7, 2023
    risk 0.38cvss 5.8epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in AyeCode Ltd UsersWP.This issue affects UsersWP: from n/a through 1.2.3.9.

  • CVE-2022-4034MedNov 29, 2022
    risk 0.38cvss 5.8epss 0.01

    The Appointment Hour Booking Plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.3.72. This makes it possible for unauthenticated attackers to embed untrusted input into content during booking creation that may be exported as a CSV file when a…

  • CVE-2026-9673MedMay 28, 2026
    risk 0.37cvss 6.8epss 0.00

    Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.

  • CVE-2026-42267MedMay 8, 2026
    risk 0.37cvss 5.7epss 0.00

    Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX,…

  • CVE-2025-11279MedOct 5, 2025
    risk 0.36cvss 5.5epss 0.00

    A vulnerability was detected in Axosoft Scrum and Bug Tracking 22.1.1.11545. This issue affects some unknown processing of the component Add Work Item Page. The manipulation of the argument Title results in csv injection. The attack can be launched remotely. The exploit is now…

  • CVE-2026-27644MedMay 5, 2026
    risk 0.35cvss 6.5epss 0.00

    Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas…

  • CVE-2025-52386MedAug 13, 2025
    risk 0.35cvss 5.4epss 0.00

    CycloneDX Sunshine v0.9 is vulnerable to CSV Formula Injection via a crafted JSON file

  • CVE-2023-41798MedNov 7, 2023
    risk 0.33cvss 5.1epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in wpWax Directorist – WordPress Business Directory Plugin with Classified Ads Listing.This issue affects Directorist – WordPress Business Directory Plugin with Classified Ads Listings: from n/a through…