Vulnerabilities (CVE)

Filtered by CWE-1236
Total 222 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-9102 2025-04-16 N/A N/A
phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection. NOTE: This vulnerability will not be addressed, the maintainer's position is that it is not the intention of phpLDAPadmin to control what data Administrators can put in their LDAP database, nor filter it on export.
CVE-2024-28764 2 Ibm, Linux 2 Websphere Automation, Linux Kernel 2025-04-11 N/A 6.5 MEDIUM
IBM WebSphere Automation 1.7.0 could allow an attacker with privileged access to the network to conduct a CSV injection. An attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 285623.
CVE-2022-37786 1 Wecube-platform Project 1 Wecube-platform 2025-04-11 N/A 6.3 MEDIUM
An issue was discovered in WeCube Platform 3.2.2. There are multiple CSV injection issues: the [Home / Admin / Resources] page, the [Home / Admin / System Params] page, and the [Home / Design / Basekey Configuration] page.
CVE-2023-45597 1 Ailux 1 Imx6 2025-04-10 N/A 5.9 MEDIUM
A CWE-1236 “Improper Neutralization of Formula Elements in a CSV File” vulnerability in the “file_configuration” functionality of the web application (concerning the function “export_file”) allows a remote authenticated attacker to inject arbitrary formulas inside generated CSV files. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.
CVE-2023-51333 1 Phpjabbers 1 Cinema Booking System 2025-04-10 N/A 8.8 HIGH
PHPJabbers Cinema Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.
CVE-2023-51336 1 Phpjabbers 1 Meeting Room Booking System 2025-04-10 N/A 8.8 HIGH
PHPJabbers Meeting Room Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.
CVE-2024-29375 2025-03-28 N/A 9.8 CRITICAL
CSV Injection vulnerability in Addactis IBNRS v.3.10.3.107 allows a remote attacker to execute arbitrary code via a crafted .ibnrs file to the Project Description, Identifiers, Custom Triangle Name (inside Input Triangles) and Yield Curve Name parameters.
CVE-2024-47485 1 Hikvision 1 Hikcentral Master 2025-03-13 N/A 9.8 CRITICAL
There is a CSV injection vulnerability in some HikCentral Master Lite versions. If exploited, an attacker could build malicious data to generate executable commands in the CSV file.
CVE-2025-1836 2025-03-02 4.0 MEDIUM 4.3 MEDIUM
A vulnerability was found in Incorta 2023.4.3. It has been classified as problematic. Affected is an unknown function of the component Edit Insight Handler. The manipulation of the argument Service Name leads to csv injection. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2022-41791 1 Metagauss 1 Profilegrid 2025-02-20 N/A 6.5 MEDIUM
Auth. (subscriber+) CSV Injection vulnerability in ProfileGrid plugin <= 5.1.6 on WordPress.
CVE-2022-38061 1 Apasionados 1 Export Post Info 2025-02-20 N/A 6.2 MEDIUM
Authenticated (author+) CSV Injection vulnerability in Export Post Info plugin <= 1.2.0 at WordPress.
CVE-2024-47572 2025-02-18 N/A 9.0 CRITICAL
An improper neutralization of formula elements in a csv file in Fortinet FortiSOAR 7.2.1 through 7.4.1 allows attacker to execute unauthorized code or commands via manipulating csv file
CVE-2023-25983 1 Logon 1 Kb Support 2025-02-11 N/A 8.8 HIGH
Improper Neutralization of Formula Elements in a CSV File vulnerability in WPOmnia KB Support.This issue affects KB Support: from n/a through 1.5.84.
CVE-2023-46400 1 Kwhotel 1 Kwhotel 2025-02-07 N/A 9.8 CRITICAL
KWHotel 0.47 is vulnerable to CSV Formula Injection in the add guest function.
CVE-2019-16120 1 Liquidweb 1 Event Tickets 2025-02-07 6.5 MEDIUM 8.8 HIGH
CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature.
CVE-2023-48709 1 Combodo 1 Itop 2025-02-06 N/A 8.0 HIGH
iTop is an IT service management platform. When exporting data from backoffice or portal in CSV or Excel files, users' inputs may include malicious formulas that may be imported into Excel. As Excel 2016 does **not** prevent Remote Code Execution by default, uninformed users may become victims. This vulnerability is fixed in 2.7.9, 3.0.4, 3.1.1, and 3.2.0.
CVE-2023-46401 1 Kwhotel 1 Kwhotel 2025-02-04 N/A 9.8 CRITICAL
KWHotel 0.47 is vulnerable to CSV Formula Injection in the invoice adding function.
CVE-2023-25348 1 Churchcrm 1 Churchcrm 2025-02-04 N/A 7.8 HIGH
ChurchCRM 4.5.3 was discovered to contain a CSV injection vulnerability via the Last Name and First Name input fields when creating a new person. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file.
CVE-2023-29918 1 Rosariosis 1 Rosariosis 2025-01-30 N/A 5.4 MEDIUM
RosarioSIS 10.8.4 is vulnerable to CSV injection via the Periods Module.
CVE-2024-3214 1 Relevanssi 1 Relevanssi 2025-01-28 N/A 5.8 MEDIUM
The Relevanssi – A Better Search plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 4.22.1. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.