Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-46401

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-23 Jan, 2025 | 00:00
Updated At-28 Jan, 2025 | 16:55
Rejected At-
Credits

KWHotel 0.47 is vulnerable to CSV Formula Injection in the invoice adding function.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:23 Jan, 2025 | 00:00
Updated At:28 Jan, 2025 | 16:55
Rejected At:
▼CVE Numbering Authority (CNA)

KWHotel 0.47 is vulnerable to CSV Formula Injection in the invoice adding function.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://gist.github.com/6en6ar/5d39374d6ced8acbe489e0b1b932d056
N/A
Hyperlink: https://gist.github.com/6en6ar/5d39374d6ced8acbe489e0b1b932d056
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-1236CWE-1236 Improper Neutralization of Formula Elements in a CSV File
Type: CWE
CWE ID: CWE-1236
Description: CWE-1236 Improper Neutralization of Formula Elements in a CSV File
Metrics
VersionBase scoreBase severityVector
3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://gist.github.com/6en6ar/5d39374d6ced8acbe489e0b1b932d056
exploit
Hyperlink: https://gist.github.com/6en6ar/5d39374d6ced8acbe489e0b1b932d056
Resource:
exploit
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:23 Jan, 2025 | 22:15
Updated At:04 Feb, 2025 | 21:02

KWHotel 0.47 is vulnerable to CSV Formula Injection in the invoice adding function.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CPE Matches

kwhotel
kwhotel
>>kwhotel>>0.47
cpe:2.3:a:kwhotel:kwhotel:0.47:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-1236Primarynvd@nist.gov
CWE-1236Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-1236
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-1236
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://gist.github.com/6en6ar/5d39374d6ced8acbe489e0b1b932d056cve@mitre.org
Exploit
Third Party Advisory
https://gist.github.com/6en6ar/5d39374d6ced8acbe489e0b1b932d056134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Third Party Advisory
Hyperlink: https://gist.github.com/6en6ar/5d39374d6ced8acbe489e0b1b932d056
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
Hyperlink: https://gist.github.com/6en6ar/5d39374d6ced8acbe489e0b1b932d056
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

89Records found

CVE-2023-46400
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 27.93%
||
7 Day CHG~0.00%
Published-23 Jan, 2025 | 00:00
Updated-07 Feb, 2025 | 21:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

KWHotel 0.47 is vulnerable to CSV Formula Injection in the add guest function.

Action-Not Available
Vendor-kwhoteln/a
Product-kwhoteln/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2020-25398
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.98% / 78.12%
||
7 Day CHG~0.00%
Published-05 Nov, 2020 | 15:08
Updated-04 Aug, 2024 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CSV Injection exists in InterMind iMind Server through 3.13.65 via the csv export functionality.

Action-Not Available
Vendor-mindn/a
Product-imind_servern/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2019-13144
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.84% / 76.35%
||
7 Day CHG~0.00%
Published-05 Jul, 2019 | 12:02
Updated-04 Aug, 2024 | 23:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

myTinyTodo 1.3.3 through 1.4.3 allows CSV Injection. This is fixed in 1.5.

Action-Not Available
Vendor-mytinytodon/a
Product-mytinytodon/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2020-22275
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.14% / 79.84%
||
7 Day CHG~0.00%
Published-04 Nov, 2020 | 16:59
Updated-04 Aug, 2024 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Easy Registration Forms (ER Forms) Wordpress Plugin 2.0.6 allows an attacker to submit an entry with malicious CSV commands. After that, when the system administrator generates CSV output from the forms information, there is no check on this inputs and the codes are executable.

Action-Not Available
Vendor-easyregistrationformsn/a
Product-easy_registration_formsn/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2020-22390
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.59% / 72.68%
||
7 Day CHG~0.00%
Published-21 Jun, 2021 | 14:02
Updated-04 Aug, 2024 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Akaunting <= 2.0.9 is vulnerable to CSV injection in the Item name field, export function. Attackers can inject arbitrary code into the name parameter and perform code execution when the crafted file is opened.

Action-Not Available
Vendor-n/aAkaunting Inc.
Product-akauntingn/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2020-22278
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.51% / 71.30%
||
7 Day CHG~0.00%
Published-04 Nov, 2020 | 16:52
Updated-04 Aug, 2024 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

phpMyAdmin through 5.0.2 allows CSV injection via Export Section. NOTE: the vendor disputes this because "the CSV file is accurately generated based on the database contents.

Action-Not Available
Vendor-n/aphpMyAdmin
Product-phpmyadminn/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2020-22274
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.61% / 72.97%
||
7 Day CHG~0.00%
Published-04 Nov, 2020 | 17:06
Updated-04 Aug, 2024 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JomSocial (Joomla Social Network Extention) 4.7.6 allows CSV injection via a customer's profile.

Action-Not Available
Vendor-jomsocialn/a
Product-jomsocialn/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2020-22276
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.98% / 85.65%
||
7 Day CHG~0.00%
Published-04 Nov, 2020 | 16:54
Updated-04 Aug, 2024 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form's entry.

Action-Not Available
Vendor-n/aweForms (InMotion Hosting, Inc.)
Product-weformsn/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2020-13826
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.50% / 71.15%
||
7 Day CHG~0.00%
Published-19 Aug, 2020 | 19:39
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CSV injection (aka Excel Macro Injection or Formula Injection) issue in i-doit 1.14.2 allows an attacker to execute arbitrary commands via a Title parameter that is mishandled in a CSV export.

Action-Not Available
Vendor-i-doitn/a
Product-i-doitn/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2020-13146
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.09% / 61.33%
||
7 Day CHG~0.00%
Published-18 May, 2020 | 18:24
Updated-04 Aug, 2024 | 12:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Studio in Open edX Ironwood 2.5 allows CSV injection because an added cohort in Course>Instructor>Cohorts may contain a formula that is exported via the "Course>Data Downloads>Reports>Download profile info" feature.

Action-Not Available
Vendor-edxn/a
Product-open_edx_platformn/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2019-4071
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.8||MEDIUM
EPSS-4.30% / 89.96%
||
7 Day CHG~0.00%
Published-09 May, 2019 | 15:10
Updated-16 Sep, 2024 | 22:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Tivoli Storage Productivity Center (IBM Spectrum Control Standard Edition 5.2.1 through 5.2.17) could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 157063.

Action-Not Available
Vendor-IBM Corporation
Product-tivoli_storage_productivity_centerspectrum_controlSpectrum Control Standard Edition
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2019-16184
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.71% / 74.58%
||
7 Day CHG~0.00%
Published-09 Sep, 2019 | 20:27
Updated-05 Aug, 2024 | 01:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CSV injection vulnerability was found in Limesurvey before 3.17.14 that allows survey participants to inject commands via their survey responses that will be included in the export CSV file.

Action-Not Available
Vendor-limesurveyn/a
Product-limesurveyn/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2023-5424
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.7||MEDIUM
EPSS-0.49% / 38.79%
||
7 Day CHG~0.00%
Published-07 Jun, 2024 | 09:33
Updated-08 Apr, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WS Form LITE <= 1.9.217 - Unauthenticated CSV Injection

The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Action-Not Available
Vendor-westguardsolutionswestguardWS Form
Product-ws_formWS Form ProWS Form LITE – Drag & Drop Contact Form Builder
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2024-55532
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-0.72% / 49.52%
||
7 Day CHG~0.00%
Published-03 Mar, 2025 | 16:04
Updated-21 May, 2025 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Ranger: Improper Neutralization of Formula Elements in a CSV File

Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Users are recommended to upgrade to version 2.6.0, which fixes this issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-rangerApache Ranger
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2024-53555
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.68% / 47.72%
||
7 Day CHG~0.00%
Published-26 Nov, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CSV injection vulnerability in Taiga v6.8.1 allows attackers to execute arbitrary code via uploading a crafted CSV file.

Action-Not Available
Vendor-n/ataigaio
Product-n/ataiga_front
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2019-12765
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-10.49% / 95.21%
||
7 Day CHG~0.00%
Published-11 Jun, 2019 | 18:35
Updated-04 Aug, 2024 | 23:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection.

Action-Not Available
Vendor-n/aJoomla!
Product-joomla\!n/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2024-47485
Matching Score-4
Assigner-Hangzhou Hikvision Digital Technology Co., Ltd.
ShareView Details
Matching Score-4
Assigner-Hangzhou Hikvision Digital Technology Co., Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.54% / 41.37%
||
7 Day CHG~0.00%
Published-18 Oct, 2024 | 08:29
Updated-13 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

There is a CSV injection vulnerability in some HikCentral Master Lite versions. If exploited, an attacker could build malicious data to generate executable commands in the CSV file.

Action-Not Available
Vendor-HIKVISION
Product-hikcentral_masterHikCentral Master Litehikcentral_master_lite
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2020-36941
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.3||MEDIUM
EPSS-0.49% / 38.82%
||
7 Day CHG~0.00%
Published-27 Jan, 2026 | 15:23
Updated-24 Mar, 2026 | 21:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Knockpy 4.1.1 - CSV Injection

Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in spreadsheet applications.

Action-Not Available
Vendor-guelfowebguelfoweb
Product-knockpyknock
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2023-23796
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.7||MEDIUM
EPSS-0.59% / 43.97%
||
7 Day CHG+0.09%
Published-07 Nov, 2023 | 16:01
Updated-28 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Form Builder Plugin <= 1.9.9.0 is vulnerable to CSV Injection

Improper Neutralization of Formula Elements in a CSV File vulnerability in Muneeb Form Builder | Create Responsive Contact Forms.This issue affects Form Builder | Create Responsive Contact Forms: from n/a through 1.9.9.0.

Action-Not Available
Vendor-web-settlerMuneeb
Product-form_builderForm Builder | Create Responsive Contact Forms
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2023-22877
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7||HIGH
EPSS-0.56% / 42.74%
||
7 Day CHG~0.00%
Published-28 Aug, 2023 | 00:34
Updated-16 Sep, 2024 | 18:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM InfoSphere Information Server CSV injection

IBM InfoSphere Information Server 11.7 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 244368.

Action-Not Available
Vendor-IBM Corporation
Product-infosphere_information_serverInfoSphere Information Server
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2023-2258
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.8||HIGH
EPSS-0.91% / 55.75%
||
7 Day CHG~0.00%
Published-24 Apr, 2023 | 00:00
Updated-04 Feb, 2025 | 17:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Neutralization of Formula Elements in a CSV File in alfio-event/alf.io

Improper Neutralization of Formula Elements in a CSV File in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304.

Action-Not Available
Vendor-alfalfio-event
Product-alfalfio-event/alf.io
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2023-22719
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.7||MEDIUM
EPSS-0.63% / 45.77%
||
7 Day CHG~0.00%
Published-07 Nov, 2023 | 15:41
Updated-28 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress GiveWP Plugin <= 2.25.1 is vulnerable to CSV Injection

Improper Neutralization of Formula Elements in a CSV File vulnerability in GiveWP.This issue affects GiveWP: from n/a through 2.25.1.

Action-Not Available
Vendor-GiveWPThe Events Calendar (StellarWP)
Product-givewpGiveWPgivewp
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2019-0403
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-9.8||CRITICAL
EPSS-2.09% / 79.34%
||
7 Day CHG~0.00%
Published-11 Dec, 2019 | 21:35
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SAP Enable Now, before version 1911, allows an attacker to input commands into the CSV files, which will be executed when opened, leading to CSV Command Injection.

Action-Not Available
Vendor-SAP SE
Product-enable_nowSAP Enable Now
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2020-14026
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.73% / 74.87%
||
7 Day CHG~0.00%
Published-22 Sep, 2020 | 17:32
Updated-04 Aug, 2024 | 12:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the Export Of Contacts feature in Ozeki NG SMS Gateway through 4.17.6 via a value that is mishandled in a CSV export.

Action-Not Available
Vendor-ozekin/a
Product-ozeki_ng_sms_gatewayn/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2020-11548
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.17% / 91.44%
||
7 Day CHG~0.00%
Published-04 Apr, 2020 | 23:48
Updated-04 Aug, 2024 | 11:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.

Action-Not Available
Vendor-search_meter_projectn/a
Product-search_metern/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2023-41798
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.1||MEDIUM
EPSS-0.50% / 39.03%
||
7 Day CHG~0.00%
Published-07 Nov, 2023 | 17:19
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Directorist Plugin <= 7.7.1 is vulnerable to CSV Injection

Improper Neutralization of Formula Elements in a CSV File vulnerability in wpWax Directorist – WordPress Business Directory Plugin with Classified Ads Listing.This issue affects Directorist – WordPress Business Directory Plugin with Classified Ads Listings: from n/a through 7.7.1.

Action-Not Available
Vendor-wpwaxwpWax
Product-directoristDirectorist – WordPress Business Directory Plugin with Classified Ads Listings
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2026-35157
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-5.8||MEDIUM
EPSS-0.32% / 23.50%
||
7 Day CHG~0.00%
Published-11 May, 2026 | 09:33
Updated-12 May, 2026 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper neutralization of formula elements in a CSV File vulnerability in the UI. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to remote execution.

Action-Not Available
Vendor-Dell Inc.
Product-objectscaleelastic_cloud_storageECSObjectScale
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-46803
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.1||MEDIUM
EPSS-0.70% / 48.76%
||
7 Day CHG~0.00%
Published-07 Nov, 2023 | 16:40
Updated-28 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Noptin Plugin <= 1.9.5 is vulnerable to CSV Injection

Improper Neutralization of Formula Elements in a CSV File vulnerability in Noptin Newsletter Simple Newsletter Plugin – Noptin.This issue affects Simple Newsletter Plugin – Noptin: from n/a through 1.9.5.

Action-Not Available
Vendor-noptinNoptin Newsletter
Product-noptinSimple Newsletter Plugin – Noptin
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-46802
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.1||MEDIUM
EPSS-0.70% / 48.76%
||
7 Day CHG~0.00%
Published-07 Nov, 2023 | 16:07
Updated-28 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Product Reviews Import Export for WooCommerce Plugin <= 1.4.8 is vulnerable to CSV Injection

Improper Neutralization of Formula Elements in a CSV File vulnerability in WebToffee Product Reviews Import Export for WooCommerce.This issue affects Product Reviews Import Export for WooCommerce: from n/a through 1.4.8.

Action-Not Available
Vendor-webtoffeeWebToffee
Product-product_reviews_import_export_for_woocommerceProduct Reviews Import Export for WooCommerce
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2026-31049
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.66% / 47.12%
||
7 Day CHG~0.00%
Published-14 Apr, 2026 | 00:00
Updated-27 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-46801
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.1||MEDIUM
EPSS-0.70% / 48.76%
||
7 Day CHG~0.00%
Published-07 Nov, 2023 | 16:11
Updated-28 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Site Reviews Plugin <= 6.2.0 is vulnerable to CSV Injection

Improper Neutralization of Formula Elements in a CSV File vulnerability in Paul Ryley Site Reviews.This issue affects Site Reviews: from n/a through 6.2.0.

Action-Not Available
Vendor-geminilabsPaul Ryley
Product-site_reviewsSite Reviews
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-46809
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.1||MEDIUM
EPSS-0.79% / 51.95%
||
7 Day CHG~0.00%
Published-07 Nov, 2023 | 16:37
Updated-28 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ReviewX Plugin <= 1.6.7 is vulnerable to CSV Injection

Improper Neutralization of Formula Elements in a CSV File vulnerability in WPDeveloper ReviewX – Multi-criteria Rating & Reviews for WooCommerce.This issue affects ReviewX – Multi-criteria Rating & Reviews for WooCommerce: from n/a through 1.6.7.

Action-Not Available
Vendor-ReviewXWPDeveloper
Product-reviewxReviewX – Multi-criteria Rating & Reviews for WooCommerce
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-47442
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.8||MEDIUM
EPSS-0.68% / 47.99%
||
7 Day CHG~0.00%
Published-07 Nov, 2023 | 15:09
Updated-28 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress UsersWP Plugin <= 1.2.3.9 is vulnerable to CSV Injection

Improper Neutralization of Formula Elements in a CSV File vulnerability in AyeCode Ltd UsersWP.This issue affects UsersWP: from n/a through 1.2.3.9.

Action-Not Available
Vendor-ayecodeAyeCode Ltdayecode
Product-userswpUsersWPuserswp
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-45360
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.7||MEDIUM
EPSS-0.61% / 44.95%
||
7 Day CHG~0.00%
Published-07 Nov, 2023 | 16:58
Updated-28 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Commenter Emails Plugin <= 2.6.1 is vulnerable to CSV Injection

Improper Neutralization of Formula Elements in a CSV File vulnerability in Scott Reilly Commenter Emails.This issue affects Commenter Emails: from n/a through 2.6.1.

Action-Not Available
Vendor-coffee2codeScott Reilly
Product-commenter_emailsCommenter Emails
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-45357
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.1||MEDIUM
EPSS-0.85% / 53.85%
||
7 Day CHG~0.00%
Published-07 Nov, 2023 | 15:45
Updated-28 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress 1003 Mortgage Application Plugin <= 1.75 is vulnerable to CSV Injection

Improper Neutralization of Formula Elements in a CSV File vulnerability in Lenderd 1003 Mortgage Application.This issue affects 1003 Mortgage Application: from n/a through 1.75.

Action-Not Available
Vendor-lenderdLenderdlenderd
Product-1003_mortgage_application1003 Mortgage Application1003_mortgage_application
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-45810
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.1||MEDIUM
EPSS-0.63% / 45.77%
||
7 Day CHG~0.00%
Published-07 Nov, 2023 | 16:50
Updated-28 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Email Subscribers & Newsletters Plugin <= 5.5.2 is vulnerable to CSV Injection

Improper Neutralization of Formula Elements in a CSV File vulnerability in Icegram Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce.This issue affects Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce: from n/a through 5.5.2.

Action-Not Available
Vendor-icegramIcegram
Product-icegram_expressIcegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-45350
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-3||LOW
EPSS-0.83% / 53.10%
||
7 Day CHG~0.00%
Published-07 Nov, 2023 | 15:05
Updated-28 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Simple History Plugin <= 3.3.1 is vulnerable to CSV Injection

Improper Neutralization of Formula Elements in a CSV File vulnerability in Pär Thernström Simple History – user activity log, audit tool.This issue affects Simple History – user activity log, audit tool: from n/a through 3.3.1.

Action-Not Available
Vendor-simple-historyPär Thernström
Product-simple_historySimple History – user activity log, audit tool
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-44738
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.8||MEDIUM
EPSS-0.82% / 52.89%
||
7 Day CHG~0.00%
Published-07 Nov, 2023 | 17:08
Updated-28 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Posts and Users Stats Plugin <= 1.1.3 is vulnerable to CSV Injection

Improper Neutralization of Formula Elements in a CSV File vulnerability in Patrick Robrecht Posts and Users Stats.This issue affects Posts and Users Stats: from n/a through 1.1.3.

Action-Not Available
Vendor-patrickrobrechtPatrick Robrecht
Product-posts_and_users_statsPosts and Users Stats
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-42882
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.8||MEDIUM
EPSS-0.78% / 51.64%
||
7 Day CHG~0.00%
Published-07 Nov, 2023 | 17:11
Updated-28 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Simple CSV/XLS Exporter Plugin <= 1.5.8 is vulnerable to CSV Injection

Improper Neutralization of Formula Elements in a CSV File vulnerability in Shambix Simple CSV/XLS Exporter.This issue affects Simple CSV/XLS Exporter: from n/a through 1.5.8.

Action-Not Available
Vendor-shambixShambix
Product-simple_csv\/xls_exporterSimple CSV/XLS Exporter
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2024-41226
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.55% / 41.95%
||
7 Day CHG~0.00%
Published-06 Aug, 2024 | 00:00
Updated-03 Sep, 2024 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CSV injection vulnerability in Automation Anywhere Automation 360 version 21094 allows attackers to execute arbitrary code via a crafted payload. NOTE: Automation Anywhere disputes this report, arguing the attacker executes everything from the client side and does not attack the Control Room. The payload is being injected in the http Response from the client-side, so the owner of the Response and payload is the end user in this case. They contend that the server's security controls have no impact or role to play in this situation and therefore this is not a valid vulnerability.

Action-Not Available
Vendor-automationanywheren/aautomationanywhere
Product-automation_360n/aautomation_360
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2020-10131
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-9.8||CRITICAL
EPSS-1.28% / 66.43%
||
7 Day CHG~0.00%
Published-06 Sep, 2023 | 18:47
Updated-26 Sep, 2024 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CVE-2020-10131

SearchBlox before Version 9.2.1 is vulnerable to CSV macro injection in "Featured Results" parameter.

Action-Not Available
Vendor-searchbloxSearchBlox
Product-searchbloxSearchBlox
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-38702
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.8||MEDIUM
EPSS-0.60% / 44.62%
||
7 Day CHG~0.00%
Published-07 Nov, 2023 | 17:14
Updated-28 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP CSV Exporter Plugin <= 2.0 is vulnerable to CSV Injection

Improper Neutralization of Formula Elements in a CSV File vulnerability in Nakashima Masahiro WP CSV Exporter.This issue affects WP CSV Exporter: from n/a through 2.0.

Action-Not Available
Vendor-kigurumiNakashima Masahiro
Product-csv_exporterWP CSV Exporter
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-3600
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-1.22% / 64.95%
||
7 Day CHG~0.00%
Published-21 Nov, 2022 | 00:00
Updated-30 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Easy Digital Downloads < 3.1.0.2 - Unauthenticated CSV Injection

The Easy Digital Downloads WordPress plugin before 3.1.0.2 does not validate data when its output in a CSV file, which could lead to CSV injection.

Action-Not Available
Vendor-UnknownAwesome Motive Inc.
Product-easy_digital_downloadsEasy Digital Downloads
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-3574
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-1.32% / 67.34%
||
7 Day CHG~0.00%
Published-14 Nov, 2022 | 00:00
Updated-30 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPForms Pro < 1.7.7 - CSV Injection

The WPForms Pro WordPress plugin before 1.7.7 does not validate its form data when generating the exported CSV, which could lead to CSV injection.

Action-Not Available
Vendor-UnknownWPForms, LLC
Product-wpforms_proWPForms Pro
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-3603
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-1.07% / 60.76%
||
7 Day CHG~0.00%
Published-28 Nov, 2022 | 13:47
Updated-25 Apr, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Export customers list CSV for WooCommerce < 2.0.69 - CSV Injection

The Export customers list csv for WooCommerce, WordPress users csv, export Guest customer list WordPress plugin before 2.0.69 does not validate data when outputting it back in a CSV file, which could lead to CSV injection.

Action-Not Available
Vendor-piwebsolutionUnknown
Product-export_customers_list_csv_for_woocommerceExport customers list csv for WooCommerce, WordPress users csv, export Guest customer list
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-3393
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-1.28% / 66.48%
||
7 Day CHG~0.00%
Published-25 Oct, 2022 | 00:00
Updated-07 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Post to CSV by BestWebSoft <= 1.4.0 - Author+ CSV Injection

The Post to CSV by BestWebSoft WordPress plugin through 1.4.0 does not properly escape fields when exporting data as CSV, leading to a CSV injection

Action-Not Available
Vendor-UnknownBestWebSoft
Product-post_to_csvPost to CSV by BestWebSoft
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2024-3214
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.8||MEDIUM
EPSS-0.77% / 51.10%
||
7 Day CHG~0.00%
Published-09 Apr, 2024 | 18:59
Updated-08 Apr, 2026 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Relevanssi – A Better Search <= 4.22.1 - Unauthenticated Second Order CSV Injection

The Relevanssi – A Better Search plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 4.22.1. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Action-Not Available
Vendor-relevanssicomesioRelevanssirelevanssi
Product-relevanssiRelevanssi PremiumRelevanssi – A Better Searchrelevanssi
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2025-52612
Matching Score-4
Assigner-HCL Software
ShareView Details
Matching Score-4
Assigner-HCL Software
CVSS Score-7.1||HIGH
EPSS-0.20% / 9.89%
||
7 Day CHG~0.00%
Published-04 Jun, 2026 | 11:40
Updated-04 Jun, 2026 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL iControl was affected by Export CSV - CSV Injection vulnerability.

HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-icontroliControl
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-3026
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-1.05% / 60.22%
||
7 Day CHG~0.00%
Published-06 Sep, 2022 | 17:19
Updated-08 Apr, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Users Exporter <= 1.4.2 - CSV Injection

The WP Users Exporter plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.2 via the 'Export Users' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into profile information like First Names that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

Action-Not Available
Vendor-wp-users-exporter_projectleogermani
Product-wp-users-exporterWP Users Exporter
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2022-24770
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-1.25% / 65.74%
||
7 Day CHG~0.00%
Published-17 Mar, 2022 | 20:30
Updated-23 Apr, 2025 | 18:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Neutralization of Formula Elements in a CSV File in Gradio Flagging

`gradio` is an open source framework for building interactive machine learning models and demos. Prior to version 2.8.11, `gradio` suffers from Improper Neutralization of Formula Elements in a CSV File. The `gradio` library has a flagging functionality which saves input/output data into a CSV file on the developer's computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS Excel opens such a file, then it automatically runs these commands, which could lead to arbitrary commands running on the user's computer. The problem has been patched as of `2.8.11`, which escapes the saved csv with single quotes. As a workaround, avoid opening csv files generated by `gradio` with Excel or similar spreadsheet programs.

Action-Not Available
Vendor-gradio_projectgradio-app
Product-gradiogradio
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
  • Previous
  • 1
  • 2
  • Next
Details not found