CWE-1236
Improper Neutralization of Formula Elements in a CSV File
Description
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (117)
page 5 of 6| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-41073 | Med | 0.23 | 4.6 | 0.00 | May 22, 2026 | RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output… | ||
| CVE-2025-11576 | Med | 0.21 | 4.3 | 0.00 | Oct 24, 2025 | The AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.6.5. This is due to insufficient sanitization in the 'newcodebyte_chatbot_export_messages' function. This… | ||
| CVE-2025-11254 | Med | 0.21 | 4.3 | 0.00 | Oct 11, 2025 | The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 27.0.3 via gallery submissions. This makes it possible for unauthenticated attackers to embed untrusted input into… | ||
| CVE-2025-7061 | Low | 0.18 | 2.7 | 0.00 | Jul 4, 2025 | A vulnerability was found in Intelbras InControl up to 2.21.60.9. It has been declared as problematic. This vulnerability affects unknown code of the file /v1/operador/. The manipulation leads to csv injection. The attack can be initiated remotely. The exploit has been disclosed… | ||
| CVE-2025-61873 | Low | 0.17 | 2.6 | 0.00 | Jan 16, 2026 | Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used. | ||
| CVE-2025-1421 | — | Low | 0.16 | — | 0.00 | May 21, 2025 | Data provided in a request performed to the server while activating a new device are put in a database. Other high privileged users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access… | |
| CVE-2018-11652 | Cri | 0.05 | 9.8 | 0.25 | Jun 1, 2018 | CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report. | ||
| CVE-2023-29918 | — | 0.03 | — | 0.02 | May 2, 2023 | RosarioSIS 10.8.4 is vulnerable to CSV injection via the Periods Module. | ||
| CVE-2026-47693 | 0.00 | — | 0.00 | Jun 8, 2026 | Description: ### Summary Poweradmin v4.4.0 is vulnerable to CSV Injection (Formula Injection) in its log export functionality. User-controlled data — specifically the username field — is written to exported CSV files without sanitizing formula trigger characters (=, +, -,… | |||
| CVE-2025-67851 | 0.00 | — | 0.00 | Feb 3, 2026 | A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute.… | |||
| CVE-2020-36962 | 0.00 | — | 0.11 | Jan 28, 2026 | Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary… | |||
| CVE-2023-53929 | 0.00 | — | 0.00 | Dec 17, 2025 | phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user… | |||
| CVE-2025-62417 | 0.00 | — | 0.00 | Oct 16, 2025 | Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as… | |||
| CVE-2025-55745 | 0.00 | — | 0.01 | Aug 22, 2025 | UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Versions 0.3.0 and prior are vulnerable to CSV injection, also known as formula injection, in the Quick Export feature. This vulnerability allows attackers to inject malicious… | |||
| CVE-2024-55532 | — | 0.00 | — | 0.01 | Mar 3, 2025 | Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Users are recommended to upgrade to version 2.6.0, which fixes this issue. | ||
| CVE-2024-27321 | 0.00 | — | 0.00 | Sep 12, 2024 | An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file… | |||
| CVE-2024-27320 | 0.00 | — | 0.00 | Sep 12, 2024 | An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing… | |||
| CVE-2023-50448 | 0.00 | — | 0.01 | Dec 28, 2023 | In ActiveAdmin (aka Active Admin) before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data (that belongs to another user) by making CSV export requests at certain specific times. | |||
| CVE-2023-51763 | 0.00 | — | 0.01 | Dec 24, 2023 | csv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 allows CSV injection. | |||
| CVE-2023-4006 | — | 0.00 | — | 0.01 | Jul 31, 2023 | Improper Neutralization of Formula Elements in a CSV File in GitHub repository thorsten/phpmyfaq prior to 3.1.16. |
- risk 0.23cvss 4.6epss 0.00
RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output…
- risk 0.21cvss 4.3epss 0.00
The AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.6.5. This is due to insufficient sanitization in the 'newcodebyte_chatbot_export_messages' function. This…
- risk 0.21cvss 4.3epss 0.00
The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 27.0.3 via gallery submissions. This makes it possible for unauthenticated attackers to embed untrusted input into…
- risk 0.18cvss 2.7epss 0.00
A vulnerability was found in Intelbras InControl up to 2.21.60.9. It has been declared as problematic. This vulnerability affects unknown code of the file /v1/operador/. The manipulation leads to csv injection. The attack can be initiated remotely. The exploit has been disclosed…
- risk 0.17cvss 2.6epss 0.00
Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used.
- risk 0.16cvss —epss 0.00
Data provided in a request performed to the server while activating a new device are put in a database. Other high privileged users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access…
- risk 0.05cvss 9.8epss 0.25
CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report.
- CVE-2023-29918May 2, 2023risk 0.03cvss —epss 0.02
RosarioSIS 10.8.4 is vulnerable to CSV injection via the Periods Module.
- CVE-2026-47693Jun 8, 2026risk 0.00cvss —epss 0.00
Description: ### Summary Poweradmin v4.4.0 is vulnerable to CSV Injection (Formula Injection) in its log export functionality. User-controlled data — specifically the username field — is written to exported CSV files without sanitizing formula trigger characters (=, +, -,…
- CVE-2025-67851Feb 3, 2026risk 0.00cvss —epss 0.00
A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute.…
- CVE-2020-36962Jan 28, 2026risk 0.00cvss —epss 0.11
Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary…
- CVE-2023-53929Dec 17, 2025risk 0.00cvss —epss 0.00
phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user…
- CVE-2025-62417Oct 16, 2025risk 0.00cvss —epss 0.00
Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as…
- CVE-2025-55745Aug 22, 2025risk 0.00cvss —epss 0.01
UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Versions 0.3.0 and prior are vulnerable to CSV injection, also known as formula injection, in the Quick Export feature. This vulnerability allows attackers to inject malicious…
- CVE-2024-55532Mar 3, 2025risk 0.00cvss —epss 0.01
Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Users are recommended to upgrade to version 2.6.0, which fixes this issue.
- CVE-2024-27321Sep 12, 2024risk 0.00cvss —epss 0.00
An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file…
- CVE-2024-27320Sep 12, 2024risk 0.00cvss —epss 0.00
An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing…
- CVE-2023-50448Dec 28, 2023risk 0.00cvss —epss 0.01
In ActiveAdmin (aka Active Admin) before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data (that belongs to another user) by making CSV export requests at certain specific times.
- CVE-2023-51763Dec 24, 2023risk 0.00cvss —epss 0.01
csv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 allows CSV injection.
- CVE-2023-4006Jul 31, 2023risk 0.00cvss —epss 0.01
Improper Neutralization of Formula Elements in a CSV File in GitHub repository thorsten/phpmyfaq prior to 3.1.16.