Total
266 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-40472 | 1 Zktec | 1 Zkbio Time | 2025-05-20 | N/A | 8.0 HIGH |
| ZKTeco Xiamen Information Technology ZKBio Time 8.0.7 Build: 20220721.14829 was discovered to contain a CSV injection vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the Content text field of the Add New Message module. | |||||
| CVE-2022-3393 | 1 Bestwebsoft | 1 Post To Csv | 2025-05-07 | N/A | 9.8 CRITICAL |
| The Post to CSV by BestWebSoft WordPress plugin through 1.4.0 does not properly escape fields when exporting data as CSV, leading to a CSV injection | |||||
| CVE-2022-40294 | 1 Phppointofsale | 1 Php Point Of Sale | 2025-05-06 | N/A | 8.8 HIGH |
| The application was identified to have an CSV injection in data export functionality, allowing for malicious code to be embedded within export data and then triggered in exported data viewers. | |||||
| CVE-2022-22425 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-05-05 | N/A | 9.8 CRITICAL |
| "IBM InfoSphere Information Server 11.7 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 223598." | |||||
| CVE-2022-37905 | 1 Arubanetworks | 12 7005, 7008, 7010 and 9 more | 2025-05-02 | N/A | 6.6 MEDIUM |
| Vulnerabilities in ArubaOS running on 7xxx series controllers exist that allows an attacker to execute arbitrary code during the boot sequence. Successful exploitation could allow an attacker to achieve permanent modification of the underlying operating system. | |||||
| CVE-2022-3463 | 1 Fluentforms | 1 Contact Form | 2025-05-01 | N/A | 9.8 CRITICAL |
| The Contact Form Plugin WordPress plugin before 4.3.13 does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection | |||||
| CVE-2022-3558 | 1 Codection | 1 Import And Export Users And Customers | 2025-05-01 | N/A | 8.0 HIGH |
| The Import and export users and customers WordPress plugin before 1.20.5 does not properly escape data when exporting it via CSV files. | |||||
| CVE-2022-3574 | 1 Wpforms | 1 Wpforms Pro | 2025-04-30 | N/A | 9.8 CRITICAL |
| The WPForms Pro WordPress plugin before 1.7.7 does not validate its form data when generating the exported CSV, which could lead to CSV injection. | |||||
| CVE-2022-44830 | 1 Event Registration Application Project | 1 Event Registration Application | 2025-04-29 | N/A | 7.8 HIGH |
| Sourcecodester Event Registration App v1.0 was discovered to contain multiple CSV injection vulnerabilities via the First Name, Contact and Remarks fields. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file. | |||||
| CVE-2023-51302 | 1 Phpjabbers | 1 Hotel Booking System | 2025-04-23 | N/A | 8.8 HIGH |
| PHPJabbers Hotel Booking System v4.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file. | |||||
| CVE-2023-51298 | 1 Phpjabbers | 1 Event Booking Calendar | 2025-04-22 | N/A | 4.7 MEDIUM |
| PHPJabbers Event Booking Calendar v4.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file. | |||||
| CVE-2024-53260 | 1 Autolabproject | 1 Autolab | 2025-04-21 | N/A | 6.8 MEDIUM |
| Autolab is a course management service that enables auto-graded programming assignments. A user can modify their first and or last name to include a valid excel / spreadsheet formula. When an instructor downloads their course's roster and opens, this name will then be evaluated as a formula. This could lead to leakage of information of students in the course roster by sending the data to a remote endpoint. This issue has been patched in the source code repository and the fix is expected to be released in the next version. Users are advised to manually patch their systems or to wait for the next release. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-28764 | 2 Ibm, Linux | 2 Websphere Automation, Linux Kernel | 2025-04-11 | N/A | 6.5 MEDIUM |
| IBM WebSphere Automation 1.7.0 could allow an attacker with privileged access to the network to conduct a CSV injection. An attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 285623. | |||||
| CVE-2022-37786 | 1 Wecube-platform Project | 1 Wecube-platform | 2025-04-11 | N/A | 6.3 MEDIUM |
| An issue was discovered in WeCube Platform 3.2.2. There are multiple CSV injection issues: the [Home / Admin / Resources] page, the [Home / Admin / System Params] page, and the [Home / Design / Basekey Configuration] page. | |||||
| CVE-2024-47485 | 1 Hikvision | 1 Hikcentral Master | 2025-03-13 | N/A | 9.8 CRITICAL |
| There is a CSV injection vulnerability in some HikCentral Master Lite versions. If exploited, an attacker could build malicious data to generate executable commands in the CSV file. | |||||
| CVE-2022-38061 | 1 Apasionados | 1 Export Post Info | 2025-02-20 | N/A | 6.2 MEDIUM |
| Authenticated (author+) CSV Injection vulnerability in Export Post Info plugin <= 1.2.0 at WordPress. | |||||
| CVE-2023-46400 | 1 Kwhotel | 1 Kwhotel | 2025-02-07 | N/A | 9.8 CRITICAL |
| KWHotel 0.47 is vulnerable to CSV Formula Injection in the add guest function. | |||||
| CVE-2019-16120 | 1 Liquidweb | 1 Event Tickets | 2025-02-07 | 6.5 MEDIUM | 8.8 HIGH |
| CSV injection in the event-tickets (Event Tickets) plugin before 4.10.7.2 for WordPress exists via the "All Post> Ticketed > Attendees" Export Attendees feature. | |||||
| CVE-2023-46401 | 1 Kwhotel | 1 Kwhotel | 2025-02-04 | N/A | 9.8 CRITICAL |
| KWHotel 0.47 is vulnerable to CSV Formula Injection in the invoice adding function. | |||||
| CVE-2023-25348 | 1 Churchcrm | 1 Churchcrm | 2025-02-04 | N/A | 7.8 HIGH |
| ChurchCRM 4.5.3 was discovered to contain a CSV injection vulnerability via the Last Name and First Name input fields when creating a new person. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file. | |||||