CWE-1236

Improper Neutralization of Formula Elements in a CSV File

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

292 vulnerabilities with CWE-1236
CVE-2025-35033 MEDIUM
Medical Informatics Engineering Enterprise Health - CSV Injection
CVSS 4.1
CVE-2025-56267 CRITICAL
Avigilon ACM <7.10.0.20 - Code Injection
CVSS 9.8
CVE-2025-58855 HIGH
AP HoneyPot WordPress Plugin <= 1.4 - Reflected Cross-Site Scripting via CSV Formula Injection
CVSS 7.1
CVE-2025-39245 MEDIUM
HikCentral Master Lite - Command Injection
CVSS 4.7
CVE-2025-55745 HIGH
UnoPim < 0.3.1 - CSV Injection via Quick Export Feature
CVSS 8.8
CVE-2025-9241 MEDIUM
elunez eladmin <2.7 - CSV Injection
CVSS 6.3
CVE-2025-52386 MEDIUM
CycloneDX Sunshine <0.9 - Code Injection
CVSS 5.4
CVE-2025-8767 MEDIUM
AnWP Football Leagues <0.16.17 - Code Injection
CVSS 4.8
CVE-2025-8808 MEDIUM
xujeff tianti <= 2.3 - CSV Injection via exportOrder Function
CVSS 4.3
CVE-2025-50572 HIGH
RSA Archer 6.11.00204.10014 - Remote Code Execution via CSV Formula Injection
CVSS 8.8
CVE-2025-54752 MEDIUM
PowerCMS 4.0-4.61 - CSV Injection via Malformed Entry
CVSS 6.5
CVE-2025-6838 MEDIUM
Broken Link Notifier <1.3.0 - Code Injection
CVSS 4.1
CVE-2025-7061 LOW
Intelbras InControl <2.21.60.9 - CSV Injection
CVSS 2.7
CVE-2025-1421 LOW
Konsola Proget <2.17.5 - Info Disclosure
CVE-2025-4546 MEDIUM
1Panel-dev MaxKB <1.10.7 - CSV Injection
CVSS 4.7
CVE-2025-1836 MEDIUM
Incorta 2023.4.3 - CSV Injection via Edit Insight Handler Service Name Argument
CVSS 4.3
CVE-2024-55532 CRITICAL
Apache Ranger <2.6.0 - Info Disclosure
CVSS 9.8
CVE-2024-45084 HIGH
IBM Cognos Controller <11.0.2 - Command Injection
CVSS 8.0
CVE-2024-47572 CRITICAL
Fortinet FortiSOAR <7.4.1 - Code Injection
CVSS 9.0
CVE-2024-22063 HIGH
ZTE ZENIC ONE R58 - Command Injection
CVSS 7.6
CVE-2024-9102 MEDIUM
phpLDAPadmin <1.2.6.7 - CSV Formula Injection
CVE-2024-53921 LOW
Samsung Magician 8.1.0 - Path Traversal
CVSS 2.8
CVE-2024-53260 MEDIUM
Autolab < 3.0.2 - CSV Formula Injection via User Name Field
CVSS 6.8
CVE-2024-53555 HIGH
Taiga 6.8.1 - CSV Injection via Crafted File Upload
CVSS 8.8
CVE-2024-51094 HIGH
Snipe-IT <7.0.13 - Privilege Escalation
CVSS 8.0
Details
Vulnerabilities 292
Links
MITRE CWE Entry Search this CWE With Exploits