Common Weakness Enumeration

CWE-1236

Allowed

Improper Neutralization of Formula Elements in a CSV File

Abstraction: Base · Status: Incomplete

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

402 vulnerabilities reference this CWE, most recent first.

GHSA-PP2H-95HM-HV9R

Vulnerability from github – Published: 2021-08-30 16:13 – Updated: 2021-08-27 12:49
VLAI
Summary
Improper Neutralization of Formula Elements in a CSV File in pimcore/pimcore
Details

Impact

Data Object CSV import allows formular injection.

Patches

Problem is patched in 10.1.1

Workarounds

Apply https://github.com/pimcore/pimcore/pull/9992.patch

References

https://cwe.mitre.org/data/definitions/1236.html

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/pimcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37702"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-26T20:12:56Z",
    "nvd_published_at": "2021-08-18T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nData Object CSV import allows formular injection. \n\n### Patches\nProblem is patched in 10.1.1\n\n### Workarounds\nApply https://github.com/pimcore/pimcore/pull/9992.patch\n\n### References\nhttps://cwe.mitre.org/data/definitions/1236.html\n",
  "id": "GHSA-pp2h-95hm-hv9r",
  "modified": "2021-08-27T12:49:12Z",
  "published": "2021-08-30T16:13:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-pp2h-95hm-hv9r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37702"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/pull/9992"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pimcore/pimcore"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Improper Neutralization of Formula Elements in a CSV File in pimcore/pimcore"
}

GHSA-PQFM-Q79F-GFXC

Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2024-03-21 03:33
VLAI
Details

** DISPUTED ** CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated "this is not a security problem in DokuWiki."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15474"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-07T22:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "** DISPUTED ** CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export.  NOTE: the vendor has stated \"this is not a security problem in DokuWiki.\"",
  "id": "GHSA-pqfm-q79f-gfxc",
  "modified": "2024-03-21T03:33:32Z",
  "published": "2022-05-13T01:19:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15474"
    },
    {
      "type": "WEB",
      "url": "https://github.com/splitbrain/dokuwiki/issues/2450"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2018/Sep/4"
    },
    {
      "type": "WEB",
      "url": "https://www.patreon.com/posts/unfixed-security-21250652"
    },
    {
      "type": "WEB",
      "url": "https://www.sec-consult.com/en/blog/advisories/dokuwiki-csv-formula-injection-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PVJ2-28FW-3GC8

Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2022-09-18 00:00
VLAI
Details

CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38844"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-16T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system.",
  "id": "GHSA-pvj2-28fw-3gc8",
  "modified": "2022-09-18T00:00:32Z",
  "published": "2022-09-17T00:00:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38844"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/cybersecurity-valuelabs/espocrm-7-1-8-is-vulnerable-to-csv-injection-4c07494e2a76"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PWPX-FV8F-9458

Vulnerability from github – Published: 2023-04-25 15:30 – Updated: 2024-04-04 03:40
VLAI
Details

ChurchCRM 4.5.3 was discovered to contain a CSV injection vulnerability via the Last Name and First Name input fields when creating a new person. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-25348"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-25T13:15:09Z",
    "severity": "HIGH"
  },
  "details": "ChurchCRM 4.5.3 was discovered to contain a CSV injection vulnerability via the Last Name and First Name input fields when creating a new person. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file.",
  "id": "GHSA-pwpx-fv8f-9458",
  "modified": "2024-04-04T03:40:28Z",
  "published": "2023-04-25T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25348"
    },
    {
      "type": "WEB",
      "url": "https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-25348"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ChurchCRM/CRM"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PX5R-QP49-693Q

Vulnerability from github – Published: 2026-04-14 15:30 – Updated: 2026-04-16 15:31
VLAI
Details

An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31049"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-14T14:16:13Z",
    "severity": "CRITICAL"
  },
  "details": "An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field",
  "id": "GHSA-px5r-qp49-693q",
  "modified": "2026-04-16T15:31:29Z",
  "published": "2026-04-14T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31049"
    },
    {
      "type": "WEB",
      "url": "https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Missing%20Server-Side%20Validation/Registration%20fields%20%26%20Import%20Csv"
    },
    {
      "type": "WEB",
      "url": "https://hostbillapp.com/changelog"
    },
    {
      "type": "WEB",
      "url": "https://hostbillapp.com/release-notes/11-27-2025.html"
    },
    {
      "type": "WEB",
      "url": "https://hostbillapp.com/release-notes/12-01-2025.html"
    },
    {
      "type": "WEB",
      "url": "https://hostbillapp.com/responsible-disclosure"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3Q6-3X37-G8GW

Vulnerability from github – Published: 2024-04-09 21:32 – Updated: 2026-04-08 18:32
VLAI
Details

The Relevanssi – A Better Search plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 4.22.1. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3214"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-09T19:15:40Z",
    "severity": "MODERATE"
  },
  "details": "The Relevanssi \u2013 A Better Search plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 4.22.1. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.",
  "id": "GHSA-q3q6-3x37-g8gw",
  "modified": "2026-04-08T18:32:57Z",
  "published": "2024-04-09T21:32:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3214"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3064304/relevanssi/tags/4.22.2/lib/log.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9960bae9-6f19-49eb-8f24-fdde4933671e?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q693-V7QF-P4XJ

Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2025-06-19 18:40
VLAI
Summary
Alkacon OpenCMS CSV Injection via New User module
Details

Alkacon OpenCMS v10.5.4 and before is affected by CSV (aka Excel Macro) Injection in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp) via the First Name or Last Name.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencms:opencms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-11819"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-19T18:40:41Z",
    "nvd_published_at": "2019-05-08T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "Alkacon OpenCMS v10.5.4 and before is affected by CSV (aka Excel Macro) Injection in the module New User (/opencms/system/workplace/admin/accounts/user_new.jsp) via the First Name or Last Name.",
  "id": "GHSA-q693-v7qf-p4xj",
  "modified": "2025-06-19T18:40:42Z",
  "published": "2022-05-24T16:45:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11819"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alkacon/opencms-core/issues/636"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/alkacon/opencms-core"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2019/05/05/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Alkacon OpenCMS CSV Injection via New User module"
}

GHSA-Q6V6-32HH-PQ9P

Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 21:33
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in WPDeveloper ReviewX – Multi-criteria Rating & Reviews for WooCommerce.This issue affects ReviewX – Multi-criteria Rating & Reviews for WooCommerce: from n/a through 1.6.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46809"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T17:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in WPDeveloper ReviewX \u2013 Multi-criteria Rating \u0026 Reviews for WooCommerce.This issue affects ReviewX \u2013 Multi-criteria Rating \u0026 Reviews for WooCommerce: from n/a through 1.6.7.",
  "id": "GHSA-q6v6-32hh-pq9p",
  "modified": "2026-04-28T21:33:02Z",
  "published": "2023-11-07T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46809"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/reviewx/vulnerability/wordpress-reviewx-plugin-1-6-6-csv-injection?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/reviewx/wordpress-reviewx-plugin-1-6-6-csv-injection?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q798-PWW9-Q6HP

Vulnerability from github – Published: 2025-01-24 00:31 – Updated: 2025-01-24 21:31
VLAI
Details

KWHotel 0.47 is vulnerable to CSV Formula Injection in the add guest function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46400"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-23T22:15:12Z",
    "severity": "MODERATE"
  },
  "details": "KWHotel 0.47 is vulnerable to CSV Formula Injection in the add guest function.",
  "id": "GHSA-q798-pww9-q6hp",
  "modified": "2025-01-24T21:31:27Z",
  "published": "2025-01-24T00:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46400"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/6en6ar/5d39374d6ced8acbe489e0b1b932d056"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q9RQ-5HWP-7WQ9

Vulnerability from github – Published: 2023-11-07 21:30 – Updated: 2026-04-28 21:33
VLAI
Details

Improper Neutralization of Formula Elements in a CSV File vulnerability in Noptin Newsletter Simple Newsletter Plugin – Noptin.This issue affects Simple Newsletter Plugin – Noptin: from n/a through 1.9.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1236"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T17:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Noptin Newsletter Simple Newsletter Plugin \u2013 Noptin.This issue affects Simple Newsletter Plugin \u2013 Noptin: from n/a through 1.9.5.",
  "id": "GHSA-q9rq-5hwp-7wq9",
  "modified": "2026-04-28T21:33:02Z",
  "published": "2023-11-07T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46803"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/newsletter-optin-box/vulnerability/wordpress-simple-newsletter-plugin-noptin-plugin-1-9-5-unauth-csv-injection-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/newsletter-optin-box/wordpress-simple-newsletter-plugin-noptin-plugin-1-9-5-unauth-csv-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Mitigation
Implementation

If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Mitigation
Architecture and Design

Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.