VYPR

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

BaseIncomplete

Description

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (117)

page 4 of 6
  • CVE-2026-10248MedJun 1, 2026
    risk 0.31cvss 4.7epss 0.00

    A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0. This issue affects the function create_supplier of the file /Export_csv/export of the component Supplier Creation Interface. This manipulation of the argument Address/Company Name…

  • CVE-2025-14229MedDec 8, 2025
    risk 0.31cvss 4.7epss 0.00

    A security vulnerability has been detected in SourceCodester Inventory Management System 1.0. The affected element is an unknown function of the component SVC Report Export. Such manipulation leads to csv injection. It is possible to launch the attack remotely. The exploit has…

  • CVE-2025-39245MedAug 29, 2025
    risk 0.31cvss 4.7epss 0.00

    There is a CSV Injection Vulnerability in some HikCentral Master Lite versions. This could allow an attacker to inject executable commands via malicious CSV data.

  • CVE-2023-5424MedJun 7, 2024
    risk 0.31cvss 4.7epss 0.00

    The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened…

  • CVE-2024-3214MedApr 9, 2024
    risk 0.31cvss 5.8epss 0.01

    The Relevanssi – A Better Search plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 4.22.1. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when…

  • CVE-2022-45810MedNov 7, 2023
    risk 0.31cvss 4.7epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in Icegram Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce.This issue affects Icegram Express – Email Marketing, Newsletters and Automation for WordPress &…

  • CVE-2022-45360MedNov 7, 2023
    risk 0.31cvss 4.7epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in Scott Reilly Commenter Emails.This issue affects Commenter Emails: from n/a through 2.6.1.

  • CVE-2023-36527MedNov 7, 2023
    risk 0.31cvss 4.7epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in BestWebSoft Post to CSV by BestWebSoft.This issue affects Post to CSV by BestWebSoft: from n/a through 1.4.0.

  • CVE-2023-23796MedNov 7, 2023
    risk 0.31cvss 4.7epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in Muneeb Form Builder | Create Responsive Contact Forms.This issue affects Form Builder | Create Responsive Contact Forms: from n/a through 1.9.9.0.

  • CVE-2023-22719MedNov 7, 2023
    risk 0.31cvss 4.7epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in GiveWP.This issue affects GiveWP: from n/a through 2.25.1.

  • CVE-2022-45350MedNov 7, 2023
    risk 0.31cvss 5.8epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in Pär Thernström Simple History – user activity log, audit tool.This issue affects Simple History – user activity log, audit tool: from n/a through 3.3.1.

  • CVE-2025-8808MedAug 10, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was found in xujeff tianti 天梯 up to 2.3. It has been rated as problematic. This issue affects the function exportOrder of the file /tianti-module-admin/user/ajax/save of the component com.jeff.tianti.controller. The manipulation leads to csv injection. The…

  • CVE-2025-1836MedMar 2, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was found in Incorta 2023.4.3. It has been classified as problematic. Affected is an unknown function of the component Edit Insight Handler. The manipulation of the argument Service Name leads to csv injection. It is possible to launch the attack remotely. The…

  • CVE-2025-6838MedJul 11, 2025
    risk 0.27cvss 4.1epss 0.00

    The Broken Link Notifier plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.3.0 via broken links that are later exported. This makes it possible for authenticated attackers, with Contributor-level access and above, to embed untrusted…

  • CVE-2026-50179medJun 22, 2026
    risk 0.26cvss epss

    ## Summary `exportToCSV` and `exportQueryToCSV` in `packages/loot-core/src/server/transactions/export/export-to-csv.ts` pass user-controlled `Payee`, `Notes`, `Account`, and `Category` strings to `csv-stringify` with no `cast` callback and no formula-prefix neutralization.…

  • CVE-2026-46672medJun 22, 2026
    risk 0.26cvss epss

    ## Summary `@actual-app/cli` ships a hand-rolled CSV serializer in `packages/cli/src/output.ts` (used whenever the global `--format csv` option is passed) whose `escapeCsv` helper only handles RFC 4180 delimiter/quote/newline escaping. It does **not** neutralize the standard…

  • CVE-2024-9102MedDec 19, 2024
    risk 0.26cvss epss 0.00

    phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is…

  • CVE-2023-23678MedNov 7, 2023
    risk 0.26cvss 4.0epss 0.01

    Improper Neutralization of Formula Elements in a CSV File vulnerability in WPEkaClub WP Cookie Consent ( for GDPR, CCPA & ePrivacy ).This issue affects WP Cookie Consent ( for GDPR, CCPA & ePrivacy ): from n/a through 2.2.5.

  • CVE-2026-39424MedApr 14, 2026
    risk 0.24cvss 4.7epss 0.00

    MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administrator exports the application chat history to an Excel file (.xlsx) via the…

  • CVE-2025-8767MedAug 12, 2025
    risk 0.24cvss 4.8epss 0.00

    The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and…