Total
257 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-7061 | 1 Intelbras | 1 Incontrol Web | 2026-04-29 | 3.3 LOW | 2.7 LOW |
| A vulnerability was found in Intelbras InControl up to 2.21.60.9. It has been declared as problematic. This vulnerability affects unknown code of the file /v1/operador/. The manipulation leads to csv injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-9241 | 1 Eladmin | 1 Eladmin | 2026-04-29 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in elunez eladmin up to 2.7. This affects the function exportUser. This manipulation causes csv injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-8808 | 2026-04-29 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was found in xujeff tianti 天梯 up to 2.3. It has been rated as problematic. This issue affects the function exportOrder of the file /tianti-module-admin/user/ajax/save of the component com.jeff.tianti.controller. The manipulation leads to csv injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-11279 | 2026-04-29 | 6.5 MEDIUM | 5.5 MEDIUM | ||
| A vulnerability was detected in Axosoft Scrum and Bug Tracking 22.1.1.11545. This issue affects some unknown processing of the component Add Work Item Page. The manipulation of the argument Title results in csv injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-14229 | 1 Warren-daloyan | 1 Inventory Management System | 2026-04-29 | 5.8 MEDIUM | 4.7 MEDIUM |
| A security vulnerability has been detected in SourceCodester Inventory Management System 1.0. The affected element is an unknown function of the component SVC Report Export. Such manipulation leads to csv injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2025-12249 | 2026-04-29 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was detected in Axosoft Scrum and Bug Tracking 22.1.1.11545. The impacted element is an unknown function of the component Edit Ticket Page. Performing manipulation of the argument Title results in csv injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-25983 | 1 Logon | 1 Kb Support | 2026-04-28 | N/A | 8.8 HIGH |
| Improper Neutralization of Formula Elements in a CSV File vulnerability in WPOmnia KB Support.This issue affects KB Support: from n/a through 1.5.84. | |||||
| CVE-2022-46804 | 1 Narolainfotech | 1 Export Users Data Distinct | 2026-04-28 | N/A | 5.8 MEDIUM |
| Improper Neutralization of Formula Elements in a CSV File vulnerability in Narola Infotech Solutions LLP Export Users Data Distinct.This issue affects Export Users Data Distinct: from n/a through 1.3. | |||||
| CVE-2022-41791 | 1 Metagauss | 1 Profilegrid | 2026-04-28 | N/A | 6.8 MEDIUM |
| Auth. (subscriber+) CSV Injection vulnerability in ProfileGrid plugin <= 5.1.6 on WordPress. | |||||
| CVE-2026-31049 | 2026-04-27 | N/A | 9.8 CRITICAL | ||
| An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field | |||||
| CVE-2025-58855 | 2026-04-23 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Formula Elements in a CSV File vulnerability in Denis V (Artprima) AP HoneyPot WordPress Plugin ap-honeypot allows Reflected XSS.This issue affects AP HoneyPot WordPress Plugin: from n/a through <= 1.4. | |||||
| CVE-2026-39424 | 1 Maxkb | 1 Maxkb | 2026-04-20 | N/A | 4.7 MEDIUM |
| MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administrator exports the application chat history to an Excel file (.xlsx) via the /admin/api/workspace/{workspace_id}/application/{application_id}/chat/export endpoint, strings starting with formula characters are written directly without proper sanitization. Opening this file in spreadsheet applications like Microsoft Excel can lead to Arbitrary Code Execution (RCE) on the administrator's workstation via Dynamic Data Exchange (DDE). The issue is a variant of CVE-2025-4546, which fixed the exact same pattern in apps/dataset/serializers/document_serializers.py but missed the application chat export sink. This issue has been fixed in version 2.8.0. | |||||
| CVE-2025-13133 | 2026-04-15 | N/A | 6.6 MEDIUM | ||
| The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration | |||||
| CVE-2025-11498 | 2026-04-15 | N/A | 6.1 MEDIUM | ||
| An Improper Neutralization of Formula Elements in a CSV File vulnerability exists in System Diagnostics Manager (SDM) of B&R Automation Runtime versions before 6.4 enabling a remote attacker to inject formula data into a generated CSV file. The exploitation of this vulnerability requires the attacker to create a malicious link. The user would need to click on this link, after which the resulting CSV file addi-tionally needs to be manually opened. | |||||
| CVE-2026-24447 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| If a malformed data is input to the affected product, a CSV file downloaded from the affected product may contain such malformed data. When a victim user download and open such a CSV file, the embedded code may be executed in the user's environment. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. | |||||
| CVE-2021-47901 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| Dirsearch 0.4.1 contains a CSV injection vulnerability when using the --csv-report flag that allows attackers to inject formulas through redirected endpoints. Attackers can craft malicious server redirects with comma-separated paths containing Excel formulas to manipulate the generated CSV report. | |||||
| CVE-2025-8767 | 2026-04-15 | N/A | 4.8 MEDIUM | ||
| The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | |||||
| CVE-2024-9102 | 2026-04-15 | N/A | N/A | ||
| phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection. NOTE: This vulnerability will not be addressed, the maintainer's position is that it is not the intention of phpLDAPadmin to control what data Administrators can put in their LDAP database, nor filter it on export. | |||||
| CVE-2024-29375 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| CSV Injection vulnerability in Addactis IBNRS v.3.10.3.107 allows a remote attacker to execute arbitrary code via a crafted .ibnrs file to the Project Description, Identifiers, Custom Triangle Name (inside Input Triangles) and Yield Curve Name parameters. | |||||
| CVE-2025-52386 | 2026-04-15 | N/A | 5.4 MEDIUM | ||
| CycloneDX Sunshine v0.9 is vulnerable to CSV Formula Injection via a crafted JSON file | |||||