1932 matches found
CVE-2023-54348
ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to inject spreadsheet formulas into vendor name fields that execute on the workstation of users who open the exported CSV in a spreadsheet application. Attackers can add malicious formulas like =10+20+cmd|' ...
CVE-2026-41073
RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet CSV/formula injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can caus...
CVE-2026-41073
CVE-2026-41073 affects RT (open source issue/IT ticket tracker). Versions older than 5.0.10 and 6.0.0–6.0.2 write user-controlled data into spreadsheet exports without sanitization, allowing CSV/formula injection when opened in spreadsheet apps. The underlying issue is that exported outputs may b...
CVE-2023-54348 ERPGo SaaS 3.9 CSV Injection via Vendor Creation
ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to inject spreadsheet formulas into vendor name fields that execute on the workstation of users who open the exported CSV in a spreadsheet application. Attackers can add malicious formulas like =10+20+cmd|' ...
Rajodiya ERPGo SaaS 安全漏洞
Rajodiya ERPGo SaaS is an online enterprise resource planning system provided by Rajodiya Corporation. Version 3.9 of Rajodiya ERPGo SaaS contains a security vulnerability. This vulnerability stems from a CSV injection flaw, allowing authenticated attackers to execute arbitrary code by injecting...
CVE-2026-39424 MaxKB has CSV Injection in its Application Chat Export Functionality
MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administrator exports the application chat history to an Excel file .xlsx via the...
CVE-2026-39424
MaxKB (1Panel-dev) has a CSV-injection vulnerability in the chat export feature for versions 2.7.1 and earlier. When exporting chat history to .xlsx via /admin/api/workspace/{workspace_id}/application/{application_id}/chat/export, strings beginning with formula characters are written without sani...
CSV Injection
Overview moodle/moodle is a learning platform. Affected versions of this package are vulnerable to CSV Injection when exporting data to CSV or Excel. An attacker can execute arbitrary formulas in a spreadsheet application by supplying specially crafted input that is not properly escaped during...
CVE-2020-36941
Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in spreadsheet...
CVE-2021-47901 dirsearch 0.4.1 - CSV Injection
Dirsearch 0.4.1 contains a CSV injection vulnerability when using the --csv-report flag that allows attackers to inject formulas through redirected endpoints. Attackers can craft malicious server redirects with comma-separated paths containing Excel formulas to manipulate the generated CSV report...
CVE-2021-47901
Dirsearch 0.4.1 is affected by a CSV injection vulnerability exploitable via the --csv-report flag. An attacker can craft malicious server redirects with comma-separated paths containing Excel formulas, enabling manipulation of the generated CSV report. The issue is described across multiple sour...
CVE-2020-36941
Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in spreadsheet...
CVE-2026-23873
hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection Formula Injection through the contest rank export functionality contestrank.xls.php and admin/ranklistexport.php. The application fails to sanitize...
CVE-2026-23873 HUSTOJ is Vulnerable to Stored CSV Injection (Formula Injection) in Contest Rank Export
hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection Formula Injection through the contest rank export functionality contestrank.xls.php and admin/ranklistexport.php. The application fails to sanitize...
CVE-2025-61873
Best Practical Request Tracker RT before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used...
UBUNTU-CVE-2025-61873
Best Practical Request Tracker RT before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used...
CVE-2025-61873
Best Practical Request Tracker RT before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used...
CVE-2025-61873
Best Practical Request Tracker RT before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used...
CVE-2025-61873
Summary: CVE-2025-61873 affects Best Practical Request Tracker (RT). The connected Debian advisory confirms the issue is a CSV injection vulnerability in RT exports to TSV from search results, caused by ticket values containing certain characters and exported in TSV, enabling injection. Debian li...
GO-2026-4303 Mattermost Server is vulnerable CSV Injection in github.com/mattermost/mattermost-server
Mattermost Server is vulnerable CSV Injection in github.com/mattermost/mattermost-server...