CWE•Base•Incomplete•20 recent CVEs
CWE-1236Improper Neutralization of Formula Elements in a CSV File
Description
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Common consequences
- Confidentiality→Read Application Data,Execute Unauthorized Code or CommandsAttackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of
Potential mitigations
- ImplementationWhen generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
- ImplementationIf a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
- Architecture and DesignCertain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
Related CWEs
Recent CVEs classified under this CWE
CVE-2026-476936.92026-06-23CVE-2026-52428.82026-06-15CVE-2025-526127.12026-06-04CVE-2026-102484.72026-06-01CVE-2026-96736.82026-05-28CVE-2026-410734.62026-05-22CVE-2026-351575.82026-05-11CVE-2026-422675.72026-05-08CVE-2026-276446.52026-05-05CVE-2023-543488.82026-05-05CVE-2026-310499.82026-04-14CVE-2026-394242026-04-14CVE-2025-142294.72025-12-08CVE-2025-122496.32025-10-27CVE-2025-112795.52025-10-05CVE-2025-588557.12025-09-05CVE-2025-92416.32025-08-20CVE-2025-88084.32025-08-10CVE-2025-70612.72025-07-04CVE-2023-55277.42024-06-18