Total
281 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-67851 | 1 Moodle | 1 Moodle | 2026-02-11 | 6.1 Medium |
| A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet. | ||||
| CVE-2026-24447 | 2 Six Apart, Six Apart Ltd | 2 Movable Type, Movable Type | 2026-02-04 | N/A |
| If a malformed data is input to the affected product, a CSV file downloaded from the affected product may contain such malformed data. When a victim user download and open such a CSV file, the embedded code may be executed in the user's environment. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. | ||||
| CVE-2021-47901 | 1 Maurosoria | 1 Dirsearch | 2026-01-29 | 9.8 Critical |
| Dirsearch 0.4.1 contains a CSV injection vulnerability when using the --csv-report flag that allows attackers to inject formulas through redirected endpoints. Attackers can craft malicious server redirects with comma-separated paths containing Excel formulas to manipulate the generated CSV report. | ||||
| CVE-2025-61873 | 1 Bestpractical | 1 Request Tracker | 2026-01-26 | 2.6 Low |
| Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used. | ||||
| CVE-2025-50572 | 2026-01-12 | 8.8 High | ||
| Archer 6.11.00204.10014 allows attackers to execute arbitrary code via crafted system inputs that would be exported into the CSV and be executed after the user opened the file with compatible applications. NOTE: the Supplier does not accept this as a valid vulnerability report against their product. | ||||
| CVE-2024-27785 | 1 Fortinet | 1 Fortiaiops | 2026-01-09 | 5.1 Medium |
| An improper neutralization of formula elements in a CSV File [CWE-1236] vulnerability in Fortinet FortiAIOps 2.0.0 may allow a remote authenticated attacker to execute arbitrary commands on a client's workstation via poisoned CSV reports. | ||||
| CVE-2025-66834 | 1 Trueconf | 1 Server | 2026-01-07 | 7.3 High |
| A CSV Formula Injection vulnerability in TrueConf Server v5.5.2.10813 allows a normal user to inject malicious spreadsheet formulas into exported chat logs via crafted Display Name. | ||||
| CVE-2025-35033 | 2 Medical Informatics Engineering, Mieweb | 2 Enterprise Health, Enterprise Health | 2026-01-02 | 4.1 Medium |
| Medical Informatics Engineering Enterprise Health has a CSV injection vulnerability that allows a remote, authenticated attacker to inject macros in downloadable CSV files. This issue is fixed as of 2025-03-14. | ||||
| CVE-2025-14229 | 2 Sourcecodester, Warren-daloyan | 2 Inventory Management System, Inventory Management System | 2025-12-10 | 4.7 Medium |
| A security vulnerability has been detected in SourceCodester Inventory Management System 1.0. The affected element is an unknown function of the component SVC Report Export. Such manipulation leads to csv injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2024-28111 | 1 Thinkst | 1 Canarytokens | 2025-12-05 | 6.5 Medium |
| Canarytokens helps track activity and actions on a network. Canarytokens.org supports exporting the history of a Canarytoken's incidents in CSV format. The generation of these CSV files is vulnerable to a CSV Injection vulnerability. This flaw can be used by an attacker who discovers an HTTP-based Canarytoken to target the Canarytoken's owner, if the owner exports the incident history to CSV and opens in a reader application such as Microsoft Excel. The impact is that this issue could lead to code execution on the machine on which the CSV file is opened. Version sha-c595a1f8 contains a fix for this issue. | ||||
| CVE-2025-51735 | 1 Hcltech | 1 Unica | 2025-12-02 | 7.5 High |
| CSV formula injection vulnerability in HCL Technologies Ltd. Unica 12.0.0. | ||||
| CVE-2023-51336 | 1 Phpjabbers | 1 Meeting Room Booking System | 2025-11-04 | 8.8 High |
| PHPJabbers Meeting Room Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file. | ||||
| CVE-2023-51333 | 1 Phpjabbers | 1 Cinema Booking System | 2025-11-04 | 8.8 High |
| PHPJabbers Cinema Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file. | ||||
| CVE-2023-51319 | 1 Phpjabbers | 1 Bus Reservation System | 2025-11-04 | 8.8 High |
| PHPJabbers Bus Reservation System v1.1 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file. | ||||
| CVE-2023-51311 | 1 Phpjabbers | 1 Car Park Booking System | 2025-11-04 | 8.8 High |
| PHPJabbers Car Park Booking System v3.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file. | ||||
| CVE-2025-9241 | 2 Eladmin, Elunez | 2 Eladmin, Eladmin | 2025-10-31 | 6.3 Medium |
| A weakness has been identified in elunez eladmin up to 2.7. This affects the function exportUser. This manipulation causes csv injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-12249 | 1 Axosoft | 1 Scrum And Bug Tracking | 2025-10-27 | 6.3 Medium |
| A vulnerability was detected in Axosoft Scrum and Bug Tracking 22.1.1.11545. The impacted element is an unknown function of the component Edit Ticket Page. Performing manipulation of the argument Title results in csv injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-60852 | 1 Instant Developer | 1 Instant Developer Framework | 2025-10-27 | 6.5 Medium |
| A CSV Injection vulnerability existed in Instant Developer Foundation versions prior to 25.0.9600. Applications built with affected versions of the framework did not properly sanitize user-controlled input before including it in CSV exports. This issue could lead to code execution on the system where the exported CSV file is opened. | ||||
| CVE-2024-3232 | 1 Tenable | 1 Identity Exposure | 2025-10-22 | 7.6 High |
| A formula injection vulnerability exists in Tenable Identity Exposure where an authenticated remote attacker with administrative privileges could manipulate application form fields in order to trick another administrator into executing CSV payloads. - CVE-2024-3232 | ||||
| CVE-2025-62417 | 1 Webkul | 1 Bagisto | 2025-10-22 | 7.8 High |
| Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This allows an attacker to supply a CSV field (e.g., product name) that contains a formula which may be evaluated by a victim’s spreadsheet application — potentially leading to data exfiltration and remote command execution (via older Excel exploits / OLE/cmd constructs or Excel macros). This vulnerability is fixed in 2.3.8. | ||||