Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1236 — Vulnerability Class 128

128 vulnerabilities classified as CWE-1236. AI Chinese analysis included.

CWE-1236 represents a critical input validation weakness where applications fail to properly sanitize user-supplied data before writing it to Comma-Separated Values (CSV) files. This vulnerability is typically exploited by attackers injecting malicious formula elements, such as those starting with equals signs or plus signs, directly into the CSV content. When a victim opens the compromised file in a spreadsheet application like Microsoft Excel, the software interprets these characters as executable commands rather than plain text, potentially triggering remote code execution, data exfiltration, or unauthorized actions. To mitigate this risk, developers must implement robust neutralization strategies, specifically prefixing dangerous characters with single quotes or escaping them appropriately during the serialization process. By ensuring that all user-generated content is treated strictly as data and not as executable instructions, organizations can effectively prevent formula injection attacks and maintain the integrity of their data exchange mechanisms.

MITRE CWE Description
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Common Consequences (1)
ConfidentialityRead Application Data, Execute Unauthorized Code or Commands
Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.
Mitigations (3)
ImplementationWhen generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Effectiveness: Moderate
ImplementationIf a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Effectiveness: Moderate
Architecture and DesignCertain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
Effectiveness: Limited
Examples (1)
Hyperlinks or other commands can be executed when a cell begins with the formula identifier, '='
=HYPERLINK(link_location, [friendly_name])
Attack · Other
HYPERLINK(link_location, [friendly_name])
Good · Other
CVE IDTitleCVSSSeverityPublished
CVE-2026-42267 Kimai: Formula Injection via tag names in XLSX export — kimai 6.5AIMediumAI2026-05-08
CVE-2026-27644 traccar allows CSV formula injection via exported position data — traccar 6.5 Medium2026-05-05
CVE-2023-54348 ERPGo SaaS 3.9 CSV Injection via Vendor Creation — ERPGo SaaS 8.8 High2026-05-05
CVE-2026-39424 MaxKB has CSV Injection in its Application Chat Export Functionality — MaxKB 7.8 -2026-04-14
CVE-2026-24447 Movable Type 安全漏洞 — Movable Type (Software Edition) 8.6AIHighAI2026-02-04
CVE-2025-67851 Moodle: moodle: formula injection allows arbitrary formula execution via unescaped data export 6.1 Medium2026-02-03
CVE-2020-36962 Tendenci 12.3.1 - CSV/ Formula Injection — Tendenci 9.8 Critical2026-01-28
CVE-2021-47901 dirsearch 0.4.1 - CSV Injection — dirsearch 9.8 Critical2026-01-27
CVE-2020-36941 Knockpy 4.1.1 - CSV Injection — knock 9.8 Critical2026-01-27
CVE-2026-23873 HUSTOJ is Vulnerable to Stored CSV Injection (Formula Injection) in Contest Rank Export — hustoj 8.0AIHighAI2026-01-21
CVE-2025-61873 Request Tracker 安全漏洞 — Request Tracker 2.6 Low2026-01-16
CVE-2023-53929 phpMyFAQ 3.1.12 CSV Injection via User Profile Export — phpMyFAQ 8.8 High2025-12-17
CVE-2023-53913 Rukovoditel 3.3.1 CSV Injection via User Account Export — Rukovoditel 8.8 High2025-12-17
CVE-2023-53905 ProjectSend r1605 CSV Injection via User Account Export Functionality — projectSend 8.0 High2025-12-17
CVE-2025-14229 SourceCodester Inventory Management System SVC Report Export csv injection — Inventory Management System 4.7 Medium2025-12-08
CVE-2025-13133 Simple User Import Export <= 1.1.7 - Authenticated (Admin+) CSV Injection — Simple User Import Export 6.6 Medium2025-11-18
CVE-2025-12249 Axosoft Scrum and Bug Tracking Edit Ticket csv injection — Scrum and Bug Tracking 6.3 Medium2025-10-27
CVE-2025-11576 AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant <= 1.6.5 - Unauthenticated CSV Injection — AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant 4.3 Medium2025-10-24
CVE-2025-62417 bagisto - CSV Formula Injection in Create New Product — bagisto 7.8AIHighAI2025-10-16
CVE-2025-11498 CSV Formula Injection Vulnerability — Automation Runtime 6.1 Medium2025-10-14
CVE-2025-11254 Contest Gallery – Upload, Vote & Sell with PayPal and Stripe <= 27.0.3 - Unauthenticated CSV Injection — Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe 4.3 Medium2025-10-11
CVE-2025-11279 Axosoft Scrum and Bug Tracking Add Work Item csv injection — Scrum and Bug Tracking 5.5 Medium2025-10-05
CVE-2025-35033 Medical Informatics Engineering Enterprise Health CSV injection — Enterprise Health 4.1 Medium2025-09-29
CVE-2025-58855 WordPress AP HoneyPot WordPress Plugin Plugin <= 1.4 - Cross Site Request Forgery (CSRF) Vulnerability — AP HoneyPot WordPress Plugin 7.1 High2025-09-05
CVE-2025-55745 UnoPim Quick Export feature is vulnerable to CSV injection — unopim 8.8AIHighAI2025-08-22
CVE-2025-9241 elunez eladmin exportUser csv injection — eladmin 6.3 Medium2025-08-20
CVE-2025-8767 AnWP Football Leagues <= 0.16.17 - Authenticated (Administrator+) CSV Injection — AnWP Football Leagues 4.8 Medium2025-08-12
CVE-2025-8808 xujeff tianti 天梯 com.jeff.tianti.controller save exportOrder csv injection — tianti 天梯 4.3 Medium2025-08-10
CVE-2025-54752 Alfasado PowerCMS 安全漏洞 — PowerCMS 6.5 Medium2025-07-31
CVE-2025-6838 Broken Link Notifier <= 1.3.0 - Authenticated (Contributor+) CSV Injection — Broken Link Notifier 4.1 Medium2025-07-11

Vulnerabilities classified as CWE-1236 represent 128 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.