Total
251 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3558 | 1 Codection | 1 Import And Export Users And Customers | 2025-05-01 | N/A | 8.0 HIGH |
| The Import and export users and customers WordPress plugin before 1.20.5 does not properly escape data when exporting it via CSV files. | |||||
| CVE-2022-3574 | 1 Wpforms | 1 Wpforms Pro | 2025-04-30 | N/A | 9.8 CRITICAL |
| The WPForms Pro WordPress plugin before 1.7.7 does not validate its form data when generating the exported CSV, which could lead to CSV injection. | |||||
| CVE-2022-3600 | 1 Awesomemotive | 1 Easy Digital Downloads | 2025-04-30 | N/A | 9.8 CRITICAL |
| The Easy Digital Downloads WordPress plugin before 3.1.0.2 does not validate data when its output in a CSV file, which could lead to CSV injection. | |||||
| CVE-2022-3634 | 1 Ciphercoin | 1 Contact Form 7 Database Addon | 2025-04-29 | N/A | 9.8 CRITICAL |
| The Contact Form 7 Database Addon WordPress plugin before 1.2.6.5 does not validate data when output it back in a CSV file, which could lead to CSV injection | |||||
| CVE-2022-44830 | 1 Event Registration Application Project | 1 Event Registration Application | 2025-04-29 | N/A | 7.8 HIGH |
| Sourcecodester Event Registration App v1.0 was discovered to contain multiple CSV injection vulnerabilities via the First Name, Contact and Remarks fields. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file. | |||||
| CVE-2022-3603 | 1 Piwebsolution | 1 Export Customers List Csv For Woocommerce | 2025-04-25 | N/A | 9.8 CRITICAL |
| The Export customers list csv for WooCommerce, WordPress users csv, export Guest customer list WordPress plugin before 2.0.69 does not validate data when outputting it back in a CSV file, which could lead to CSV injection. | |||||
| CVE-2023-51302 | 1 Phpjabbers | 1 Hotel Booking System | 2025-04-23 | N/A | 8.8 HIGH |
| PHPJabbers Hotel Booking System v4.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file. | |||||
| CVE-2023-51298 | 1 Phpjabbers | 1 Event Booking Calendar | 2025-04-22 | N/A | 4.7 MEDIUM |
| PHPJabbers Event Booking Calendar v4.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file. | |||||
| CVE-2022-3605 | 1 Wp Csv Exporter Project | 1 Wp Csv Exporter | 2025-04-22 | N/A | 7.8 HIGH |
| The WP CSV Exporter WordPress plugin before 1.3.7 does not properly escape the fields when exporting data as CSV, leading to a CSV injection vulnerability. | |||||
| CVE-2023-51319 | 1 Phpjabbers | 1 Bus Reservation System | 2025-04-22 | N/A | 8.8 HIGH |
| PHPJabbers Bus Reservation System v1.1 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file. | |||||
| CVE-2024-53260 | 1 Autolabproject | 1 Autolab | 2025-04-21 | N/A | 6.8 MEDIUM |
| Autolab is a course management service that enables auto-graded programming assignments. A user can modify their first and or last name to include a valid excel / spreadsheet formula. When an instructor downloads their course's roster and opens, this name will then be evaluated as a formula. This could lead to leakage of information of students in the course roster by sending the data to a remote endpoint. This issue has been patched in the source code repository and the fix is expected to be released in the next version. Users are advised to manually patch their systems or to wait for the next release. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-9102 | 2025-04-16 | N/A | N/A | ||
| phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection. NOTE: This vulnerability will not be addressed, the maintainer's position is that it is not the intention of phpLDAPadmin to control what data Administrators can put in their LDAP database, nor filter it on export. | |||||
| CVE-2024-28764 | 2 Ibm, Linux | 2 Websphere Automation, Linux Kernel | 2025-04-11 | N/A | 6.5 MEDIUM |
| IBM WebSphere Automation 1.7.0 could allow an attacker with privileged access to the network to conduct a CSV injection. An attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 285623. | |||||
| CVE-2022-37786 | 1 Wecube-platform Project | 1 Wecube-platform | 2025-04-11 | N/A | 6.3 MEDIUM |
| An issue was discovered in WeCube Platform 3.2.2. There are multiple CSV injection issues: the [Home / Admin / Resources] page, the [Home / Admin / System Params] page, and the [Home / Design / Basekey Configuration] page. | |||||
| CVE-2023-45597 | 1 Ailux | 1 Imx6 | 2025-04-10 | N/A | 5.9 MEDIUM |
| A CWE-1236 “Improper Neutralization of Formula Elements in a CSV File” vulnerability in the “file_configuration” functionality of the web application (concerning the function “export_file”) allows a remote authenticated attacker to inject arbitrary formulas inside generated CSV files. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2. | |||||
| CVE-2023-51333 | 1 Phpjabbers | 1 Cinema Booking System | 2025-04-10 | N/A | 8.8 HIGH |
| PHPJabbers Cinema Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file. | |||||
| CVE-2023-51336 | 1 Phpjabbers | 1 Meeting Room Booking System | 2025-04-10 | N/A | 8.8 HIGH |
| PHPJabbers Meeting Room Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file. | |||||
| CVE-2024-29375 | 2025-03-28 | N/A | 9.8 CRITICAL | ||
| CSV Injection vulnerability in Addactis IBNRS v.3.10.3.107 allows a remote attacker to execute arbitrary code via a crafted .ibnrs file to the Project Description, Identifiers, Custom Triangle Name (inside Input Triangles) and Yield Curve Name parameters. | |||||
| CVE-2024-47485 | 1 Hikvision | 1 Hikcentral Master | 2025-03-13 | N/A | 9.8 CRITICAL |
| There is a CSV injection vulnerability in some HikCentral Master Lite versions. If exploited, an attacker could build malicious data to generate executable commands in the CSV file. | |||||
| CVE-2025-1836 | 2025-03-02 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was found in Incorta 2023.4.3. It has been classified as problematic. Affected is an unknown function of the component Edit Insight Handler. The manipulation of the argument Service Name leads to csv injection. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way. | |||||