Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-53929

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-17 Dec, 2025 | 22:44
Updated At-18 Dec, 2025 | 15:02
Rejected At-
Credits

phpMyFAQ 3.1.12 CSV Injection via User Profile Export

phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV file.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:17 Dec, 2025 | 22:44
Updated At:18 Dec, 2025 | 15:02
Rejected At:
▼CVE Numbering Authority (CNA)
phpMyFAQ 3.1.12 CSV Injection via User Profile Export

phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV file.

Affected Products
Vendor
Thorsten Rinne (phpMyFAQ)Phpmyfaq
Product
phpMyFAQ
Versions
Affected
  • 3.1.12
Problem Types
TypeCWE IDDescription
CWECWE-1236Improper Neutralization of Formula Elements in a CSV File
Type: CWE
CWE ID: CWE-1236
Description: Improper Neutralization of Formula Elements in a CSV File
Metrics
VersionBase scoreBase severityVector
4.06.2MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 4.0
Base score: 6.2
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Mirabbas Ağalarov
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.exploit-db.com/exploits/51399
exploit
https://www.phpmyfaq.de/
product
https://www.vulncheck.com/advisories/phpmyfaq-csv-injection-via-user-profile-export
third-party-advisory
Hyperlink: https://www.exploit-db.com/exploits/51399
Resource:
exploit
Hyperlink: https://www.phpmyfaq.de/
Resource:
product
Hyperlink: https://www.vulncheck.com/advisories/phpmyfaq-csv-injection-via-user-profile-export
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.exploit-db.com/exploits/51399
exploit
Hyperlink: https://www.exploit-db.com/exploits/51399
Resource:
exploit
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:17 Dec, 2025 | 23:15
Updated At:31 Dec, 2025 | 18:45

phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV file.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.06.2MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary3.18.0HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Type: Secondary
Version: 4.0
Base score: 6.2
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 8.0
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CPE Matches
Thorsten Rinne (phpMyFAQ)
phpmyfaq
>>phpmyfaq>>3.1.12
cpe:2.3:a:phpmyfaq:phpmyfaq:3.1.12:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-1236Secondarydisclosure@vulncheck.com
CWE ID: CWE-1236
Type: Secondary
Source: disclosure@vulncheck.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.exploit-db.com/exploits/51399disclosure@vulncheck.com
Exploit
Third Party Advisory
https://www.phpmyfaq.de/disclosure@vulncheck.com
Product
https://www.vulncheck.com/advisories/phpmyfaq-csv-injection-via-user-profile-exportdisclosure@vulncheck.com
Third Party Advisory
https://www.exploit-db.com/exploits/51399134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Third Party Advisory
Hyperlink: https://www.exploit-db.com/exploits/51399
Source: disclosure@vulncheck.com
Resource:
Exploit
Third Party Advisory
Hyperlink: https://www.phpmyfaq.de/
Source: disclosure@vulncheck.com
Resource:
Product
Hyperlink: https://www.vulncheck.com/advisories/phpmyfaq-csv-injection-via-user-profile-export
Source: disclosure@vulncheck.com
Resource:
Third Party Advisory
Hyperlink: https://www.exploit-db.com/exploits/51399
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

62Records found
CVE-2023-51336
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.23% / 45.08%
||
7 Day CHG~0.00%
Published-20 Feb, 2025 | 00:00
Updated-04 Nov, 2025 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PHPJabbers Meeting Room Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.

Action-Not Available
Vendor-n/aPHPJabbers Ltd.
Product-meeting_room_booking_systemn/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2020-36503
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8||HIGH
EPSS-1.27% / 79.19%
||
7 Day CHG~0.00%
Published-01 Nov, 2021 | 08:45
Updated-04 Aug, 2024 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Connections Business Directory < 9.7 - Admin+ CSV Injection

The Connections Business Directory WordPress plugin before 9.7 does not validate or sanitise some connections' fields, which could lead to a CSV injection issue

Action-Not Available
Vendor-connections-proUnknown
Product-connections_business_directoryConnections Business Directory
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2018-10255
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.47% / 84.94%
||
7 Day CHG~0.00%
Published-01 May, 2018 | 19:00
Updated-05 Aug, 2024 | 07:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CSV Injection vulnerability was discovered in clustercoding Blog Master Pro v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.

Action-Not Available
Vendor-clustercodingn/a
Product-blog_master_pron/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2025-14229
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-0.05% / 15.06%
||
7 Day CHG+0.01%
Published-08 Dec, 2025 | 11:02
Updated-10 Dec, 2025 | 17:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Inventory Management System SVC Report Export csv injection

A security vulnerability has been detected in SourceCodester Inventory Management System 1.0. The affected element is an unknown function of the component SVC Report Export. Such manipulation leads to csv injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.

Action-Not Available
Vendor-warren-daloyanSourceCodester
Product-inventory_management_systemInventory Management System
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2023-48207
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.18% / 39.98%
||
7 Day CHG~0.00%
Published-07 Dec, 2023 | 00:00
Updated-02 Aug, 2024 | 21:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Availability Booking Calendar 5.0 allows CSV injection via the unique ID field in the Reservations list component.

Action-Not Available
Vendor-n/aPHPJabbers Ltd.
Product-availability_booking_calendarn/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2023-48029
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.38% / 58.91%
||
7 Day CHG~0.00%
Published-17 Nov, 2023 | 00:00
Updated-29 Sep, 2025 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Corebos 8.0 and below is vulnerable to CSV Injection. An attacker with low privileges can inject a malicious command into a table. This vulnerability is exploited when an administrator visits the user management section, exports the data to a CSV file, and then opens it, leading to the execution of the malicious payload on the administrator's computer.

Action-Not Available
Vendor-corebosn/a
Product-corebosn/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2023-41798
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.69% / 71.38%
||
7 Day CHG~0.00%
Published-07 Nov, 2023 | 17:19
Updated-19 Feb, 2025 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Directorist Plugin <= 7.7.1 is vulnerable to CSV Injection

Improper Neutralization of Formula Elements in a CSV File vulnerability in wpWax Directorist – WordPress Business Directory Plugin with Classified Ads Listing.This issue affects Directorist – WordPress Business Directory Plugin with Classified Ads Listings: from n/a through 7.7.1.

Action-Not Available
Vendor-wpwaxwpWax
Product-directoristDirectorist – WordPress Business Directory Plugin with Classified Ads Listings
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2023-42004
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-8||HIGH
EPSS-0.12% / 31.14%
||
7 Day CHG~0.00%
Published-28 Nov, 2023 | 10:52
Updated-21 Nov, 2024 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Security Guardium CSV injection

IBM Security Guardium 11.3, 11.4, and 11.5 is potentially vulnerable to CSV injection. A remote attacker could execute malicious commands due to improper validation of csv file contents. IBM X-Force ID: 265262.

Action-Not Available
Vendor-IBM Corporation
Product-security_guardiumSecurity Guardium
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2023-38843
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.14% / 34.73%
||
7 Day CHG~0.00%
Published-17 Aug, 2023 | 00:00
Updated-08 Oct, 2024 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in Atlos v.1.0 allows an authenticated attacker to execute arbitrary code via a crafted payload into the description field in the incident function.

Action-Not Available
Vendor-atlosn/a
Product-atlosn/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2023-36527
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.69% / 71.38%
||
7 Day CHG~0.00%
Published-07 Nov, 2023 | 16:04
Updated-04 Sep, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Post to CSV by BestWebSoft Plugin <= 1.4.0 is vulnerable to CSV Injection

Improper Neutralization of Formula Elements in a CSV File vulnerability in BestWebSoft Post to CSV by BestWebSoft.This issue affects Post to CSV by BestWebSoft: from n/a through 1.4.0.

Action-Not Available
Vendor-BestWebSoft
Product-post_to_csvPost to CSV by BestWebSoft
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2023-3493
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.7||HIGH
EPSS-0.09% / 25.76%
||
7 Day CHG~0.00%
Published-30 Jun, 2023 | 21:14
Updated-04 Nov, 2024 | 20:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Neutralization of Formula Elements in a CSV File in fossbilling/fossbilling

Improper Neutralization of Formula Elements in a CSV File in GitHub repository fossbilling/fossbilling prior to 0.5.3.

Action-Not Available
Vendor-fossbillingfossbillingfossbilling
Product-fossbillingfossbilling/fossbillingfossbilling
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
CVE-2023-33410
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.65% / 70.28%
||
7 Day CHG~0.00%
Published-05 Jun, 2023 | 00:00
Updated-08 Jan, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Minical 1.0.0 and earlier contains a CSV injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on the Customer Name field in the Accounting module that is used to construct a CSV file.

Action-Not Available
Vendor-minicaln/a
Product-minicaln/a
CWE ID-CWE-1236
Improper Neutralization of Formula Elements in a CSV File
  • Previous
  • 1
  • 2
  • Next
Details not found