Total
257 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-51763 | 1 Activeadmin | 1 Active Admin | 2026-02-23 | N/A | 9.8 CRITICAL |
| csv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 allows CSV injection. | |||||
| CVE-2025-67851 | 1 Moodle | 1 Moodle | 2026-02-11 | N/A | 6.1 MEDIUM |
| A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet. | |||||
| CVE-2020-36962 | 1 Tendenci | 1 Tendenci | 2026-02-02 | N/A | 9.8 CRITICAL |
| Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications. | |||||
| CVE-2024-27785 | 1 Fortinet | 1 Fortiaiops | 2026-01-09 | N/A | 5.4 MEDIUM |
| An improper neutralization of formula elements in a CSV File [CWE-1236] vulnerability in Fortinet FortiAIOps 2.0.0 may allow a remote authenticated attacker to execute arbitrary commands on a client's workstation via poisoned CSV reports. | |||||
| CVE-2025-66834 | 1 Trueconf | 1 Server | 2026-01-07 | N/A | 7.3 HIGH |
| A CSV Formula Injection vulnerability in TrueConf Server v5.5.2.10813 allows a normal user to inject malicious spreadsheet formulas into exported chat logs via crafted Display Name. | |||||
| CVE-2025-35033 | 1 Mieweb | 1 Enterprise Health | 2026-01-02 | N/A | 4.1 MEDIUM |
| Medical Informatics Engineering Enterprise Health has a CSV injection vulnerability that allows a remote, authenticated attacker to inject macros in downloadable CSV files. This issue is fixed as of 2025-03-14. | |||||
| CVE-2023-53929 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-12-31 | N/A | 8.8 HIGH |
| phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV file. | |||||
| CVE-2023-53905 | 1 Projectsend | 1 Projectsend | 2025-12-27 | N/A | 8.0 HIGH |
| ProjectSend r1605 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into user profile names. Attackers can craft payloads like =calc|a!z| in the name field to trigger code execution when administrators export action logs as CSV files. | |||||
| CVE-2023-53913 | 1 Rukovoditel | 1 Rukovoditel | 2025-12-24 | N/A | 8.8 HIGH |
| Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file. | |||||
| CVE-2025-51735 | 1 Hcltech | 1 Unica | 2025-12-02 | N/A | 7.5 HIGH |
| CSV formula injection vulnerability in HCL Technologies Ltd. Unica 12.0.0. | |||||
| CVE-2023-51336 | 1 Phpjabbers | 1 Meeting Room Booking System | 2025-11-04 | N/A | 8.8 HIGH |
| PHPJabbers Meeting Room Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file. | |||||
| CVE-2023-51333 | 1 Phpjabbers | 1 Cinema Booking System | 2025-11-04 | N/A | 8.8 HIGH |
| PHPJabbers Cinema Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file. | |||||
| CVE-2023-51319 | 1 Phpjabbers | 1 Bus Reservation System | 2025-11-04 | N/A | 8.8 HIGH |
| PHPJabbers Bus Reservation System v1.1 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file. | |||||
| CVE-2023-51311 | 1 Phpjabbers | 1 Car Park Booking System | 2025-11-04 | N/A | 8.8 HIGH |
| PHPJabbers Car Park Booking System v3.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file. | |||||
| CVE-2024-3232 | 1 Tenable | 1 Identity Exposure | 2025-10-22 | N/A | 7.6 HIGH |
| A formula injection vulnerability exists in Tenable Identity Exposure where an authenticated remote attacker with administrative privileges could manipulate application form fields in order to trick another administrator into executing CSV payloads. - CVE-2024-3232 | |||||
| CVE-2025-62417 | 1 Webkul | 1 Bagisto | 2025-10-22 | N/A | 7.8 HIGH |
| Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This allows an attacker to supply a CSV field (e.g., product name) that contains a formula which may be evaluated by a victim’s spreadsheet application — potentially leading to data exfiltration and remote command execution (via older Excel exploits / OLE/cmd constructs or Excel macros). This vulnerability is fixed in 2.3.8. | |||||
| CVE-2024-45084 | 2 Ibm, Microsoft | 3 Cognos Controller, Controller, Windows | 2025-09-29 | N/A | 8.0 HIGH |
| IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 could allow an authenticated attacker to conduct formula injection. An attacker could execute arbitrary commands on the system, caused by improper validation of file contents. | |||||
| CVE-2024-24337 | 1 Koha | 1 Koha | 2025-09-29 | N/A | 8.0 HIGH |
| CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the 'Budget' and 'Patrons Member' components. | |||||
| CVE-2023-48029 | 1 Corebos | 1 Corebos | 2025-09-29 | N/A | 8.0 HIGH |
| Corebos 8.0 and below is vulnerable to CSV Injection. An attacker with low privileges can inject a malicious command into a table. This vulnerability is exploited when an administrator visits the user management section, exports the data to a CSV file, and then opens it, leading to the execution of the malicious payload on the administrator's computer. | |||||
| CVE-2025-56267 | 1 Avigilon | 1 Access Control Manager | 2025-09-12 | N/A | 9.8 CRITICAL |
| A CSV injection vulnerability in the /id_profiles endpoint of Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via suuplying a crafted Excel file. | |||||