Skip to main content

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

37 CVEs Avg CVSS 6.6 MITRE
9
CRITICAL
6
HIGH
18
MEDIUM
4
LOW
7
POC
0
KEV

Monthly

CVE-2026-54243 PHP MEDIUM PATCH GHSA This Month

CSV formula injection in Statamic CMS allows an unauthenticated front-end visitor to plant spreadsheet formula payloads via public form submissions that execute when a Control Panel editor exports and opens those submissions in a spreadsheet application. Affected versions span the entire v5 branch below 5.73.24 and v6 branch from 6.0.0 below 6.20.1; vendor-released patches exist for both. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the attack structure is well-understood and requires no specialized tooling given the unauthenticated submission vector.

Information Disclosure
NVD GitHub
CVSS 3.1
6.1
CVE-2026-50179 npm MEDIUM PATCH GHSA This Month

CSV formula injection in Actual Budget's transaction export functions allows an attacker who controls imported transaction data to embed spreadsheet formulas in Payee, Notes, Account, and Category fields, which survive verbatim into exported CSV files. Affected versions of @actual-app/web prior to 26.6.0 pass these fields to csv-stringify at export-to-csv.ts:56 and :131 without any formula-prefix neutralization, meaning strings beginning with =, +, -, @, tab, or carriage return are written raw to disk. When victims or downstream recipients (accountants, tax preparers) open the exported file in Excel, LibreOffice Calc, or Google Sheets, the =HYPERLINK variant silently exfiltrates adjacent transaction data on click with no security prompt, while =WEBSERVICE and =IMPORTXML auto-fire in some configurations; a fully working PoC is documented in GHSA-xqjm-27pc-rvwm and no KEV listing exists at time of analysis.

Information Disclosure Google
NVD GitHub
CVSS 3.1
4.2
CVE-2026-46672 npm MEDIUM PATCH GHSA This Month

CSV formula injection in @actual-app/cli versions prior to 26.6.0 allows an attacker who can write user-controlled strings into an Actual Budget database to execute arbitrary spreadsheet formulas when the victim exports data using the --format csv flag and opens the resulting file in Excel, LibreOffice Calc, or Google Sheets. The vulnerable `escapeCsv` helper in `packages/cli/src/output.ts` neutralizes only RFC 4180 delimiters and quotes but does not strip formula-trigger prefixes (=, +, -, @, tab, CR), meaning payloads in payee names, account names, categories, notes, or tags survive into the CSV output unchanged. A publicly available proof-of-concept is included in the GHSA-7gh7-258j-4mpq advisory; no CISA KEV listing exists at time of analysis.

RCE Google Node.js Microsoft
NVD GitHub
CVSS 3.1
4.6
CVE-2026-5242 HIGH PATCH This Week

CSV formula injection in MIA Technology's Pizzy Library (versions 1.0.0.26250 through 1.3.9.26250) allows authenticated attackers to inject malicious formula elements into generated CSV files, leading to code execution when the file is opened in a spreadsheet application. The flaw is rated CVSS 8.8 and was reported by TR-CERT, though no public exploit identified at time of analysis. Impact spans confidentiality, integrity, and availability on the system of any victim who opens the crafted CSV.

Code Injection Pizzy Library
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-47693 PHP MEDIUM PATCH GHSA This Month

CSV Injection in Poweradmin's log export functionality allows a high-privileged attacker to embed spreadsheet formulas in usernames that execute when an administrator exports activity logs and opens the resulting CSV in Excel, LibreOffice Calc, or Google Sheets. All four log export controllers pass username fields directly to PHP's fputcsv() without neutralizing formula trigger characters (=, +, -, @), enabling phishing via rendered hyperlinks and silent data exfiltration via =IMPORTXML() or similar functions targeting victim administrators. Publicly available exploit code exists per GHSA-3h6h-67x3-cv5x; the vulnerability is not listed in CISA KEV.

PHP Information Disclosure Docker Google Microsoft
NVD GitHub
CVSS 3.1
6.9
EPSS
0.0%
CVE-2025-52612 HIGH This Week

CSV injection and reflected cross-site scripting affect HCL iControl due to insufficient input sanitization in the Export CSV feature and reflected parameters. An attacker who can lure an authenticated user to click a crafted link can execute script in the victim's browser session or inject formula payloads into exported CSV files that execute when opened in spreadsheet applications. No public exploit identified at time of analysis; the issue carries a CVSS 7.1 (High) rating driven largely by user-interaction and low-privilege requirements.

XSS Icontrol
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-10248 LOW POC Monitor

CSV injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows high-privileged remote attackers to embed malicious spreadsheet formula payloads via the Address and Company Name fields in the Supplier Creation Interface, which are then written unsanitized to exported CSV files. When downstream staff open the exported file in a spreadsheet application such as Microsoft Excel or LibreOffice Calc, the injected formulas execute in that client application's context, enabling information disclosure, data manipulation, or further client-side exploitation. A publicly available proof-of-concept exists (GitHub), though no active exploitation has been confirmed and this CVE is not listed in the CISA KEV catalog.

Information Disclosure Pharmacy Sales And Inventory System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-9673 npm MEDIUM PATCH This Month

CSV Injection protection bypass in json-2-csv (npm) allows formula injection to survive the preventCsvInjection sanitization option when injection characters are preceded by leading spaces. Versions 3.15.0 through 5.5.10 are affected. An attacker who can supply JSON input values with space-prefixed formula strings (e.g., ' =SUM(A1:A10)') causes the resulting CSV to carry live spreadsheet formulas, which execute when a recipient opens the file in Excel, Google Sheets, or LibreOffice. Publicly available exploit code exists (Snyk/Gist POC); no confirmed active exploitation (not in CISA KEV).

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-41073 MEDIUM This Month

Spreadsheet formula injection in Best Practical Request Tracker (RT) allows a low-privileged authenticated attacker to embed malicious formulas in ticket fields that execute when an administrator or staff member exports data to CSV and opens the file in a spreadsheet application. Affected versions span the entire RT 5.0 line prior to 5.0.10 and RT 6.0.0 through 6.0.2. No public exploit code has been identified at time of analysis and no CISA KEV listing exists, but the attack surface is broad given that CSV exports are a routine administrative workflow in ticketing systems.

Code Injection Rt
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-35157 MEDIUM PATCH This Month

Remote code execution in Dell ECS 3.8.1.0-3.8.1.7 and ObjectScale prior to 4.3.0.0 via improper neutralization of formula elements in CSV files processed by the UI. Unauthenticated remote attackers can exploit this vulnerability with user interaction (formula injection attack) to achieve remote execution with limited confidentiality, integrity, and availability impact. No active exploitation confirmed; exploitation requires victim interaction with malicious CSV content.

Information Disclosure Dell
NVD VulDB
CVSS 3.1
5.8
EPSS
0.1%
CVSS 6.1
MEDIUM PATCH This Month

CSV formula injection in Statamic CMS allows an unauthenticated front-end visitor to plant spreadsheet formula payloads via public form submissions that execute when a Control Panel editor exports and opens those submissions in a spreadsheet application. Affected versions span the entire v5 branch below 5.73.24 and v6 branch from 6.0.0 below 6.20.1; vendor-released patches exist for both. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the attack structure is well-understood and requires no specialized tooling given the unauthenticated submission vector.

Information Disclosure
NVD GitHub
CVSS 4.2
MEDIUM PATCH This Month

CSV formula injection in Actual Budget's transaction export functions allows an attacker who controls imported transaction data to embed spreadsheet formulas in Payee, Notes, Account, and Category fields, which survive verbatim into exported CSV files. Affected versions of @actual-app/web prior to 26.6.0 pass these fields to csv-stringify at export-to-csv.ts:56 and :131 without any formula-prefix neutralization, meaning strings beginning with =, +, -, @, tab, or carriage return are written raw to disk. When victims or downstream recipients (accountants, tax preparers) open the exported file in Excel, LibreOffice Calc, or Google Sheets, the =HYPERLINK variant silently exfiltrates adjacent transaction data on click with no security prompt, while =WEBSERVICE and =IMPORTXML auto-fire in some configurations; a fully working PoC is documented in GHSA-xqjm-27pc-rvwm and no KEV listing exists at time of analysis.

Information Disclosure Google
NVD GitHub
CVSS 4.6
MEDIUM PATCH This Month

CSV formula injection in @actual-app/cli versions prior to 26.6.0 allows an attacker who can write user-controlled strings into an Actual Budget database to execute arbitrary spreadsheet formulas when the victim exports data using the --format csv flag and opens the resulting file in Excel, LibreOffice Calc, or Google Sheets. The vulnerable `escapeCsv` helper in `packages/cli/src/output.ts` neutralizes only RFC 4180 delimiters and quotes but does not strip formula-trigger prefixes (=, +, -, @, tab, CR), meaning payloads in payee names, account names, categories, notes, or tags survive into the CSV output unchanged. A publicly available proof-of-concept is included in the GHSA-7gh7-258j-4mpq advisory; no CISA KEV listing exists at time of analysis.

RCE Google Node.js +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

CSV formula injection in MIA Technology's Pizzy Library (versions 1.0.0.26250 through 1.3.9.26250) allows authenticated attackers to inject malicious formula elements into generated CSV files, leading to code execution when the file is opened in a spreadsheet application. The flaw is rated CVSS 8.8 and was reported by TR-CERT, though no public exploit identified at time of analysis. Impact spans confidentiality, integrity, and availability on the system of any victim who opens the crafted CSV.

Code Injection Pizzy Library
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

CSV Injection in Poweradmin's log export functionality allows a high-privileged attacker to embed spreadsheet formulas in usernames that execute when an administrator exports activity logs and opens the resulting CSV in Excel, LibreOffice Calc, or Google Sheets. All four log export controllers pass username fields directly to PHP's fputcsv() without neutralizing formula trigger characters (=, +, -, @), enabling phishing via rendered hyperlinks and silent data exfiltration via =IMPORTXML() or similar functions targeting victim administrators. Publicly available exploit code exists per GHSA-3h6h-67x3-cv5x; the vulnerability is not listed in CISA KEV.

PHP Information Disclosure Docker +2
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

CSV injection and reflected cross-site scripting affect HCL iControl due to insufficient input sanitization in the Export CSV feature and reflected parameters. An attacker who can lure an authenticated user to click a crafted link can execute script in the victim's browser session or inject formula payloads into exported CSV files that execute when opened in spreadsheet applications. No public exploit identified at time of analysis; the issue carries a CVSS 7.1 (High) rating driven largely by user-interaction and low-privilege requirements.

XSS Icontrol
NVD
EPSS 0% CVSS 2.0
LOW POC Monitor

CSV injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows high-privileged remote attackers to embed malicious spreadsheet formula payloads via the Address and Company Name fields in the Supplier Creation Interface, which are then written unsanitized to exported CSV files. When downstream staff open the exported file in a spreadsheet application such as Microsoft Excel or LibreOffice Calc, the injected formulas execute in that client application's context, enabling information disclosure, data manipulation, or further client-side exploitation. A publicly available proof-of-concept exists (GitHub), though no active exploitation has been confirmed and this CVE is not listed in the CISA KEV catalog.

Information Disclosure Pharmacy Sales And Inventory System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

CSV Injection protection bypass in json-2-csv (npm) allows formula injection to survive the preventCsvInjection sanitization option when injection characters are preceded by leading spaces. Versions 3.15.0 through 5.5.10 are affected. An attacker who can supply JSON input values with space-prefixed formula strings (e.g., ' =SUM(A1:A10)') causes the resulting CSV to carry live spreadsheet formulas, which execute when a recipient opens the file in Excel, Google Sheets, or LibreOffice. Publicly available exploit code exists (Snyk/Gist POC); no confirmed active exploitation (not in CISA KEV).

Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM This Month

Spreadsheet formula injection in Best Practical Request Tracker (RT) allows a low-privileged authenticated attacker to embed malicious formulas in ticket fields that execute when an administrator or staff member exports data to CSV and opens the file in a spreadsheet application. Affected versions span the entire RT 5.0 line prior to 5.0.10 and RT 6.0.0 through 6.0.2. No public exploit code has been identified at time of analysis and no CISA KEV listing exists, but the attack surface is broad given that CSV exports are a routine administrative workflow in ticketing systems.

Code Injection Rt
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Remote code execution in Dell ECS 3.8.1.0-3.8.1.7 and ObjectScale prior to 4.3.0.0 via improper neutralization of formula elements in CSV files processed by the UI. Unauthenticated remote attackers can exploit this vulnerability with user interaction (formula injection attack) to achieve remote execution with limited confidentiality, integrity, and availability impact. No active exploitation confirmed; exploitation requires victim interaction with malicious CSV content.

Information Disclosure Dell
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy