CVE & CISA-KEV Catalog

362,600 CVEs1,630 actively exploited (KEV)AboutAPI
Active:
  • CVSS 6.9 v3·EPSS 0.2%·No fix yet

    Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 are vulnerable to CSV Injection (Formula Injection) in its log export functionality. User-controlled data — specifically the username field — is written to exported CSV files without sanitizing formula trigger characters (=, +, -, @). When an administrator exports activity logs and opens the resulting CSV in a spreadsheet application (Microsoft Excel, LibreOffice Calc, Google Sheets), any formula stored in a username is executed by the application. This can be used for phishing attacks against administrators or data exfiltration. Versions 4.2.4 and 4.3.3 patch the issue.

    Published 2026-06-23

  • CVSS 8.8 v3·EPSS 0.3%·No fix yet

    Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc. Pizzy Library allows Code Injection. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.

    Published 2026-06-15

  • CVSS 7.1 v3·EPSS 0.2%·No fix yet

    HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .

    Published 2026-06-04

  • CVSS 4.7 v3·EPSS 0.2%·No fix yet

    A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0. This issue affects the function create_supplier of the file /Export_csv/export of the component Supplier Creation Interface. This manipulation of the argument Address/Company Name causes csv injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

    Published 2026-06-01

  • CVSS 6.8 v3·EPSS 0.2%·Fix available

    Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.

    Published 2026-05-28

  • CVSS 4.6 v3·EPSS 0.2%·Fix available

    RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input.

    Published 2026-05-22

  • CVSS 5.8 v3·EPSS 0.3%·Fix available

    Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper neutralization of formula elements in a CSV File vulnerability in the UI. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to remote execution.

    Published 2026-05-11

  • CVSS 5.7 v3·EPSS 0.2%·Fix available

    Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue() joins tag names with implode() and returns the result unchanged. OpenSpout promotes any =-prefixed string to a FormulaCell, writing <f>SUM(54+51)</f> into the XLSX archive. Excel evaluates the formula when the file is opened. This issue has been patched in version 2.54.0.

    Published 2026-05-08

  • CVSS 6.5 v3·EPSS 0.2%·Fix available

    Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas through exported fields. When a manager or administrator opens the exported CSV file in spreadsheet software, this can cause formula execution and lead to command execution or data exfiltration. This has been patched in version 6.13.0.

    Published 2026-05-05

  • CVSS 8.8 v3·EPSS 0.4%·No fix yet

    ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Attackers can add malicious formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications.

    Published 2026-05-05

  • CVSS 9.8 v3·EPSS 0.7%·No fix yet

    An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field

    Published 2026-04-14

  • CVSS 4.7 v3·EPSS 0.4%·Fix available

    MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administrator exports the application chat history to an Excel file (.xlsx) via the /admin/api/workspace/{workspace_id}/application/{application_id}/chat/export endpoint, strings starting with formula characters are written directly without proper sanitization. Opening this file in spreadsheet applications like Microsoft Excel can lead to Arbitrary Code Execution (RCE) on the administrator's workstation via Dynamic Data Exchange (DDE). The issue is a variant of CVE-2025-4546, which fixed the exact same pattern in apps/dataset/serializers/document_serializers.py but missed the application chat export sin

    Published 2026-04-14

  • CVSS 6.5 v3·EPSS 0.2%·No fix yet

    If a malformed data is input to the affected product, a CSV file downloaded from the affected product may contain such malformed data. When a victim user download and open such a CSV file, the embedded code may be executed in the user's environment. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.

    Published 2026-02-04

  • CVSS 6.1 v3·EPSS 0.3%·Fix available

    A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet.

    Published 2026-02-03

  • CVSS 9.8 v3·EPSS 11%·No fix yet

    Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications.

    Published 2026-01-28

  • CVSS 9.8 v3·EPSS 0.4%·No fix yet

    Dirsearch 0.4.1 contains a CSV injection vulnerability when using the --csv-report flag that allows attackers to inject formulas through redirected endpoints. Attackers can craft malicious server redirects with comma-separated paths containing Excel formulas to manipulate the generated CSV report.

    Published 2026-01-27

  • CVSS 9.8 v3·EPSS 0.5%·No fix yet

    Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in spreadsheet applications.

    Published 2026-01-27

  • CVSS 9.0 v3·EPSS 0.5%·No fix yet

    hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize user-supplied input (specifically the "Nickname" field) before exporting it to an .xls file (which renders as an HTML table but is opened by Excel). If a malicious user sets their nickname to an Excel formula when an administrator exports and opens the rank list in Microsoft Excel, the formula will be executed. This can lead to arbitrary command execution (RCE) on the administrator's machine or data exfiltration. A fix was not available at the time of publication.

    Published 2026-01-22

  • CVSS 2.6 v3·EPSS 0.2%·Fix available

    Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used.

    Published 2026-01-16

  • CVSS 7.3 v3·EPSS 0.3%·No fix yet

    A CSV Formula Injection vulnerability in TrueConf Server v5.5.2.10813 allows a normal user to inject malicious spreadsheet formulas into exported chat logs via crafted Display Name.

    Published 2025-12-30

  • CVSS 8.8 v3·EPSS 0.4%·No fix yet

    phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV file.

    Published 2025-12-17

  • CVSS 8.8 v3·EPSS 0.6%·No fix yet

    Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file.

    Published 2025-12-17

  • CVSS 8.0 v3·EPSS 0.4%·No fix yet

    ProjectSend r1605 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into user profile names. Attackers can craft payloads like =calc|a!z| in the name field to trigger code execution when administrators export action logs as CSV files.

    Published 2025-12-17

  • CVSS 4.7 v3·EPSS 0.3%·No fix yet

    A security vulnerability has been detected in SourceCodester Inventory Management System 1.0. The affected element is an unknown function of the component SVC Report Export. Such manipulation leads to csv injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.

    Published 2025-12-08

  • CVSS 7.5 v3·EPSS 0.3%·No fix yet

    CSV formula injection vulnerability in HCL Technologies Ltd. Unica 12.0.0.

    Published 2025-11-28

  • CVSS 6.6 v3·EPSS 0.2%·No fix yet

    The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration

    Published 2025-11-18

  • CVSS 6.3 v3·EPSS 0.3%·No fix yet

    A vulnerability was detected in Axosoft Scrum and Bug Tracking 22.1.1.11545. The impacted element is an unknown function of the component Edit Ticket Page. Performing manipulation of the argument Title results in csv injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

    Published 2025-10-27

  • CVSS 4.3 v3·EPSS 0.3%·No fix yet

    The AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.6.5. This is due to insufficient sanitization in the 'newcodebyte_chatbot_export_messages' function. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

    Published 2025-10-24

  • CVSS 6.5 v3·EPSS 0.4%·No fix yet

    A CSV Injection vulnerability existed in Instant Developer Foundation versions prior to 25.0.9600. Applications built with affected versions of the framework did not properly sanitize user-controlled input before including it in CSV exports. This issue could lead to code execution on the system where the exported CSV file is opened.

    Published 2025-10-23

  • CVSS 7.8 v3·EPSS 0.4%·No fix yet

    Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This allows an attacker to supply a CSV field (e.g., product name) that contains a formula which may be evaluated by a victim’s spreadsheet application — potentially leading to data exfiltration and remote command execution (via older Excel exploits / OLE/cmd constructs or Excel macros). This vulnerability is fixed in 2.3.8.

    Published 2025-10-16

  • CVSS 6.1 v3·EPSS 0.3%·No fix yet

    An Improper Neutralization of Formula Elements in a CSV File vulnerability exists in System Diagnostics Manager (SDM) of B&R Automation Runtime versions before 6.4 enabling a remote attacker to inject formula data into a generated CSV file. The exploitation of this vulnerability requires the attacker to create a malicious link. The user would need to click on this link, after which the resulting CSV file addi-tionally needs to be manually opened.

    Published 2025-10-14

  • CVSS 4.3 v3·EPSS 0.3%·No fix yet

    The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 27.0.3 via gallery submissions. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

    Published 2025-10-11

  • CVSS 5.5 v3·EPSS 0.2%·No fix yet

    A vulnerability was detected in Axosoft Scrum and Bug Tracking 22.1.1.11545. This issue affects some unknown processing of the component Add Work Item Page. The manipulation of the argument Title results in csv injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

    Published 2025-10-05

  • CVSS 4.1 v3·EPSS 0.2%·No fix yet

    Medical Informatics Engineering Enterprise Health has a CSV injection vulnerability that allows a remote, authenticated attacker to inject macros in downloadable CSV files. This issue is fixed as of 2025-03-14.

    Published 2025-09-29

  • CVSS 9.8 v3·EPSS 0.7%·No fix yet

    A CSV injection vulnerability in the /id_profiles endpoint of Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via suuplying a crafted Excel file.

    Published 2025-09-08

  • CVSS 7.1 v3·EPSS 0.2%·No fix yet

    Improper Neutralization of Formula Elements in a CSV File vulnerability in Denis V (Artprima) AP HoneyPot WordPress Plugin ap-honeypot allows Reflected XSS.This issue affects AP HoneyPot WordPress Plugin: from n/a through <= 1.4.

    Published 2025-09-05

  • CVSS 4.7 v3·EPSS 0.4%·No fix yet

    There is a CSV Injection Vulnerability in some HikCentral Master Lite versions. This could allow an attacker to inject executable commands via malicious CSV data.

    Published 2025-08-29

  • CVSS 8.8 v3·EPSS 0.6%·Fix available

    UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Versions 0.3.0 and prior are vulnerable to CSV injection, also known as formula injection, in the Quick Export feature. This vulnerability allows attackers to inject malicious content into exported CSV files. When the CSV file is opened in spreadsheet applications such as Microsoft Excel, the malicious input may be interpreted as a formula or command, potentially resulting in the execution of arbitrary code on the victim's device. Successful exploitation can lead to remote code execution, including the establishment of a reverse shell. Users are advised to upgrade to version 0.3.1 or later.

    Published 2025-08-22

  • CVSS 6.3 v3·EPSS 0.3%·No fix yet

    A weakness has been identified in elunez eladmin up to 2.7. This affects the function exportUser. This manipulation causes csv injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited.

    Published 2025-08-20

  • CVSS 5.4 v3·EPSS 0.2%·No fix yet

    CycloneDX Sunshine v0.9 is vulnerable to CSV Formula Injection via a crafted JSON file

    Published 2025-08-13

  • CVSS 4.8 v3·EPSS 0.3%·No fix yet

    The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

    Published 2025-08-12

  • CVSS 4.3 v3·EPSS 0.3%·No fix yet

    A vulnerability was found in xujeff tianti 天梯 up to 2.3. It has been rated as problematic. This issue affects the function exportOrder of the file /tianti-module-admin/user/ajax/save of the component com.jeff.tianti.controller. The manipulation leads to csv injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

    Published 2025-08-10

  • CVSS 8.8 v3·EPSS 0.4%·No fix yet

    Archer 6.11.00204.10014 allows attackers to execute arbitrary code via crafted system inputs that would be exported into the CSV and be executed after the user opened the file with compatible applications. NOTE: the Supplier does not accept this as a valid vulnerability report against their product.

    Published 2025-07-31

  • CVSS 6.5 v3·EPSS 0.2%·Fix available

    Multiple versions of PowerCMS improperly neutralize formula elements in a CSV file. If a product user creates a malformed entry and a victim user downloads it as a CSV file and opens it in the user's environment, the embedded code may be executed.

    Published 2025-07-31

  • CVSS 4.1 v3·EPSS 0.2%·No fix yet

    The Broken Link Notifier plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.3.0 via broken links that are later exported. This makes it possible for authenticated attackers, with Contributor-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

    Published 2025-07-11

  • CVSS 2.7 v3·EPSS 0.3%·No fix yet

    A vulnerability was found in Intelbras InControl up to 2.21.60.9. It has been declared as problematic. This vulnerability affects unknown code of the file /v1/operador/. The manipulation leads to csv injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

    Published 2025-07-04

  • CVSS 9.8 v3·EPSS 0.5%·No fix yet

    A CSV injection vulnerability in NCR Terminal Handler v1.5.1 allows attackers to execute arbitrary commands via injecting a crafted payload into any text field that accepts strings.

    Published 2025-06-23

  • CVSS -·EPSS 0.2%·No fix yet

    Data provided in a request performed to the server while activating a new device are put in a database. Other high privileged users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite).

    Published 2025-05-21

  • CVSS 4.7 v3·EPSS 0.5%·No fix yet

    A vulnerability was found in 1Panel-dev MaxKB up to 1.10.7. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Knowledge Base Module. The manipulation leads to csv injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.10.8 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early about this disclosure.

    Published 2025-05-11

  • CVSS 9.8 v3·EPSS 0.7%·Fix available

    Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Users are recommended to upgrade to version 2.6.0, which fixes this issue.

    Published 2025-03-03

Uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog.