Total
280 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-23873 | 1 Hustoj | 1 Hustoj | 2026-02-27 | N/A | 9.0 CRITICAL |
|
hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize user-supplied input (specifically the "Nickname" field) before exporting it to an .xls file (which renders as an HTML table but is opened by Excel). If a malicious user sets their nickname to an Excel fo ...
Show More |
|||||
| CVE-2021-38180 | 1 Sap | 1 Business One | 2026-02-24 | 9.3 HIGH | 9.8 CRITICAL |
|
SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due to improper sanitation during the data export. An attacker could thereby execute arbitrary commands on the victim's computer but only if the victim allows to execute macros while opening the file and the security settings of Excel allow for command execution.
|
|||||
| CVE-2020-16214 | 1 Philips | 1 Patient Information Center Ix | 2026-02-23 | 5.8 MEDIUM | 5.0 MEDIUM |
|
In Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, the
software saves user-provided information into a comma-separated value
(CSV) file, but it does not neutralize or incorrectly neutralizes
special elements that could be interpreted as a command when the file is
opened by spreadsheet software.
|
|||||
| CVE-2023-51763 | 1 Activeadmin | 1 Active Admin | 2026-02-23 | N/A | 9.8 CRITICAL |
|
csv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 allows CSV injection.
|
|||||
| CVE-2025-67851 | 1 Moodle | 1 Moodle | 2026-02-11 | N/A | 6.1 MEDIUM |
|
A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet.
|
|||||
| CVE-2026-24447 | 2026-02-04 | N/A | 6.5 MEDIUM | ||
|
If a malformed data is input to the affected product, a CSV file downloaded from the affected product may contain such malformed data. When a victim user download and open such a CSV file, the embedded code may be executed in the user's environment. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.
|
|||||
| CVE-2020-36962 | 1 Tendenci | 1 Tendenci | 2026-02-02 | N/A | 9.8 CRITICAL |
|
Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications.
|
|||||
| CVE-2020-36941 | 2026-01-29 | N/A | 9.8 CRITICAL | ||
|
Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in spreadsheet applications.
|
|||||
| CVE-2021-47901 | 2026-01-29 | N/A | 9.8 CRITICAL | ||
|
Dirsearch 0.4.1 contains a CSV injection vulnerability when using the --csv-report flag that allows attackers to inject formulas through redirected endpoints. Attackers can craft malicious server redirects with comma-separated paths containing Excel formulas to manipulate the generated CSV report.
|
|||||
| CVE-2025-61873 | 2026-01-26 | N/A | 2.6 LOW | ||
|
Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used.
|
|||||
| CVE-2025-50572 | 2026-01-12 | N/A | 8.8 HIGH | ||
|
Archer 6.11.00204.10014 allows attackers to execute arbitrary code via crafted system inputs that would be exported into the CSV and be executed after the user opened the file with compatible applications. NOTE: the Supplier does not accept this as a valid vulnerability report against their product.
|
|||||
| CVE-2024-27785 | 1 Fortinet | 1 Fortiaiops | 2026-01-09 | N/A | 5.4 MEDIUM |
|
An improper neutralization of formula elements in a CSV File [CWE-1236] vulnerability in Fortinet FortiAIOps 2.0.0 may allow a remote authenticated attacker to execute arbitrary commands on a client's workstation via poisoned CSV reports.
|
|||||
| CVE-2025-66834 | 1 Trueconf | 1 Server | 2026-01-07 | N/A | 7.3 HIGH |
|
A CSV Formula Injection vulnerability in TrueConf Server v5.5.2.10813 allows a normal user to inject malicious spreadsheet formulas into exported chat logs via crafted Display Name.
|
|||||
| CVE-2025-35033 | 1 Mieweb | 1 Enterprise Health | 2026-01-02 | N/A | 4.1 MEDIUM |
|
Medical Informatics Engineering Enterprise Health has a CSV injection vulnerability that allows a remote, authenticated attacker to inject macros in downloadable CSV files. This issue is fixed as of 2025-03-14.
|
|||||
| CVE-2023-53929 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-12-31 | N/A | 8.8 HIGH |
|
phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV file.
|
|||||
| CVE-2023-53905 | 1 Projectsend | 1 Projectsend | 2025-12-27 | N/A | 8.0 HIGH |
|
ProjectSend r1605 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into user profile names. Attackers can craft payloads like =calc|a!z| in the name field to trigger code execution when administrators export action logs as CSV files.
|
|||||
| CVE-2023-53913 | 1 Rukovoditel | 1 Rukovoditel | 2025-12-24 | N/A | 8.8 HIGH |
|
Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file.
|
|||||
| CVE-2025-14229 | 1 Warren-daloyan | 1 Inventory Management System | 2025-12-10 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A security vulnerability has been detected in SourceCodester Inventory Management System 1.0. The affected element is an unknown function of the component SVC Report Export. Such manipulation leads to csv injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
|
|||||
| CVE-2024-28111 | 1 Thinkst | 1 Canarytokens | 2025-12-05 | N/A | 6.5 MEDIUM |
|
Canarytokens helps track activity and actions on a network. Canarytokens.org supports exporting the history of a Canarytoken's incidents in CSV format. The generation of these CSV files is vulnerable to a CSV Injection vulnerability. This flaw can be used by an attacker who discovers an HTTP-based Canarytoken to target the Canarytoken's owner, if the owner exports the incident history to CSV and opens in a reader application such as Microsoft Excel. The impact is that this issue could lead to co ...
Show More |
|||||
| CVE-2025-51735 | 1 Hcltech | 1 Unica | 2025-12-02 | N/A | 7.5 HIGH |
|
CSV formula injection vulnerability in HCL Technologies Ltd. Unica 12.0.0.
|
|||||
| CVE-2025-13133 | 2025-11-18 | N/A | 6.6 MEDIUM | ||
|
The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration
|
|||||
| CVE-2023-51336 | 1 Phpjabbers | 1 Meeting Room Booking System | 2025-11-04 | N/A | 8.8 HIGH |
|
PHPJabbers Meeting Room Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.
|
|||||
| CVE-2023-51333 | 1 Phpjabbers | 1 Cinema Booking System | 2025-11-04 | N/A | 8.8 HIGH |
|
PHPJabbers Cinema Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.
|
|||||
| CVE-2023-51319 | 1 Phpjabbers | 1 Bus Reservation System | 2025-11-04 | N/A | 8.8 HIGH |
|
PHPJabbers Bus Reservation System v1.1 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.
|
|||||
| CVE-2023-51311 | 1 Phpjabbers | 1 Car Park Booking System | 2025-11-04 | N/A | 8.8 HIGH |
|
PHPJabbers Car Park Booking System v3.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.
|
|||||
| CVE-2025-9241 | 1 Eladmin | 1 Eladmin | 2025-10-31 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A weakness has been identified in elunez eladmin up to 2.7. This affects the function exportUser. This manipulation causes csv injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited.
|
|||||
| CVE-2025-60852 | 2025-10-27 | N/A | 6.5 MEDIUM | ||
|
A CSV Injection vulnerability existed in Instant Developer Foundation versions prior to 25.0.9600. Applications built with affected versions of the framework did not properly sanitize user-controlled input before including it in CSV exports. This issue could lead to code execution on the system where the exported CSV file is opened.
|
|||||
| CVE-2025-11576 | 2025-10-27 | N/A | 4.3 MEDIUM | ||
|
The AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.6.5. This is due to insufficient sanitization in the 'newcodebyte_chatbot_export_messages' function. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
|
|||||
| CVE-2025-12249 | 2025-10-27 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability was detected in Axosoft Scrum and Bug Tracking 22.1.1.11545. The impacted element is an unknown function of the component Edit Ticket Page. Performing manipulation of the argument Title results in csv injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-3232 | 1 Tenable | 1 Identity Exposure | 2025-10-22 | N/A | 7.6 HIGH |
|
A formula injection vulnerability exists in Tenable Identity Exposure where an authenticated remote attacker with administrative privileges could manipulate application form fields in order to trick another administrator into executing CSV payloads. - CVE-2024-3232
|
|||||
| CVE-2025-62417 | 1 Webkul | 1 Bagisto | 2025-10-22 | N/A | 7.8 HIGH |
|
Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This allows an attacker to supply a CSV field (e.g., product name) that contains a formula which may be evaluated by a victim’s spreadsheet application — potentially leading to data exfiltration and remote com ...
Show More |
|||||
| CVE-2025-11254 | 2025-10-14 | N/A | 4.3 MEDIUM | ||
|
The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 27.0.3 via gallery submissions. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
|
|||||
| CVE-2025-11498 | 2025-10-14 | N/A | 6.1 MEDIUM | ||
|
An Improper Neutralization of Formula Elements in a CSV File vulnerability exists in System Diagnostics Manager (SDM) of B&R Automation Runtime versions before 6.4 enabling a remote attacker to inject formula data into a generated CSV file. The exploitation of this vulnerability requires the attacker to create a malicious link. The user would need to click on this link, after which the resulting CSV file addi-tionally needs to be manually opened.
|
|||||
| CVE-2025-11279 | 2025-10-06 | 6.5 MEDIUM | 5.5 MEDIUM | ||
|
A vulnerability was detected in Axosoft Scrum and Bug Tracking 22.1.1.11545. This issue affects some unknown processing of the component Add Work Item Page. The manipulation of the argument Title results in csv injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-45084 | 2 Ibm, Microsoft | 3 Cognos Controller, Controller, Windows | 2025-09-29 | N/A | 8.0 HIGH |
|
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0
could allow an authenticated attacker to conduct formula injection. An attacker could execute arbitrary commands on the system, caused by improper validation of file contents.
|
|||||
| CVE-2024-24337 | 1 Koha | 1 Koha | 2025-09-29 | N/A | 8.0 HIGH |
|
CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the 'Budget' and 'Patrons Member' components.
|
|||||
| CVE-2023-48029 | 1 Corebos | 1 Corebos | 2025-09-29 | N/A | 8.0 HIGH |
|
Corebos 8.0 and below is vulnerable to CSV Injection. An attacker with low privileges can inject a malicious command into a table. This vulnerability is exploited when an administrator visits the user management section, exports the data to a CSV file, and then opens it, leading to the execution of the malicious payload on the administrator's computer.
|
|||||
| CVE-2025-56267 | 1 Avigilon | 1 Access Control Manager | 2025-09-12 | N/A | 9.8 CRITICAL |
|
A CSV injection vulnerability in the /id_profiles endpoint of Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via suuplying a crafted Excel file.
|
|||||
| CVE-2025-58855 | 2025-09-05 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Formula Elements in a CSV File vulnerability in Denis V (Artprima) AP HoneyPot WordPress Plugin allows Reflected XSS. This issue affects AP HoneyPot WordPress Plugin: from n/a through 1.4.
|
|||||
| CVE-2025-39245 | 2025-08-29 | N/A | 4.7 MEDIUM | ||
|
There is a CSV Injection Vulnerability in some HikCentral Master Lite versions. This could allow an attacker to inject executable commands via malicious CSV data.
|
|||||