ReportizFlow
Filtered by vendor
Subscriptions
Total
285 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-45348 | 1 Anmari | 1 Amr Users | 2026-04-28 | 5.8 Medium |
| Improper Neutralization of Formula Elements in a CSV File vulnerability in anmari amr users.This issue affects amr users: from n/a through 4.59.4. | ||||
| CVE-2022-44738 | 1 Patrickrobrecht | 1 Posts And Users Stats | 2026-04-28 | 5.8 Medium |
| Improper Neutralization of Formula Elements in a CSV File vulnerability in Patrick Robrecht Posts and Users Stats.This issue affects Posts and Users Stats: from n/a through 1.1.3. | ||||
| CVE-2022-42882 | 1 Shambix | 1 Simple Csv\/xls Exporter | 2026-04-28 | 5.8 Medium |
| Improper Neutralization of Formula Elements in a CSV File vulnerability in Shambix Simple CSV/XLS Exporter.This issue affects Simple CSV/XLS Exporter: from n/a through 1.5.8. | ||||
| CVE-2022-41616 | 1 Kaushikkalathiya | 1 Export Users Data | 2026-04-28 | 7.6 High |
| Improper Neutralization of Formula Elements in a CSV File vulnerability in Kaushik Kalathiya Export Users Data CSV.This issue affects Export Users Data CSV: from n/a through 2.1. | ||||
| CVE-2022-38702 | 1 Kigurumi | 1 Csv Exporter | 2026-04-28 | 5.8 Medium |
| Improper Neutralization of Formula Elements in a CSV File vulnerability in Nakashima Masahiro WP CSV Exporter.This issue affects WP CSV Exporter: from n/a through 2.0. | ||||
| CVE-2022-45078 | 1 Solwininfotech | 1 User Blocker | 2026-04-28 | 5.9 Medium |
| Improper Neutralization of Formula Elements in a CSV File vulnerability in Solwin Infotech User Blocker.This issue affects User Blocker: from n/a through 1.5.5. | ||||
| CVE-2022-41791 | 1 Metagauss | 1 Profilegrid | 2026-04-28 | 6.8 Medium |
| Auth. (subscriber+) CSV Injection vulnerability in ProfileGrid plugin <= 5.1.6 on WordPress. | ||||
| CVE-2025-58855 | 2026-04-23 | 7.1 High | ||
| Improper Neutralization of Formula Elements in a CSV File vulnerability in Denis V (Artprima) AP HoneyPot WordPress Plugin ap-honeypot allows Reflected XSS.This issue affects AP HoneyPot WordPress Plugin: from n/a through <= 1.4. | ||||
| CVE-2025-8767 | 2 Anwp, Wordpress | 2 Football Leagues, Wordpress | 2026-04-23 | 4.8 Medium |
| The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | ||||
| CVE-2025-11254 | 2 Contest-gallery, Wordpress | 2 Contest Gallery, Wordpress | 2026-04-22 | 4.3 Medium |
| The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 27.0.3 via gallery submissions. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | ||||
| CVE-2025-11576 | 2 Newcodebyte, Wordpress | 2 Ai Chatbot Free Models, Wordpress | 2026-04-22 | 4.3 Medium |
| The AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.6.5. This is due to insufficient sanitization in the 'newcodebyte_chatbot_export_messages' function. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | ||||
| CVE-2025-13133 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 6.6 Medium |
| The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration | ||||
| CVE-2025-6838 | 1 Wordpress | 1 Wordpress | 2026-04-20 | 4.1 Medium |
| The Broken Link Notifier plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.3.0 via broken links that are later exported. This makes it possible for authenticated attackers, with Contributor-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | ||||
| CVE-2026-39424 | 2 1panel, Maxkb | 2 Maxkb, Maxkb | 2026-04-20 | 4.7 Medium |
| MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administrator exports the application chat history to an Excel file (.xlsx) via the /admin/api/workspace/{workspace_id}/application/{application_id}/chat/export endpoint, strings starting with formula characters are written directly without proper sanitization. Opening this file in spreadsheet applications like Microsoft Excel can lead to Arbitrary Code Execution (RCE) on the administrator's workstation via Dynamic Data Exchange (DDE). The issue is a variant of CVE-2025-4546, which fixed the exact same pattern in apps/dataset/serializers/document_serializers.py but missed the application chat export sink. This issue has been fixed in version 2.8.0. | ||||
| CVE-2026-24447 | 2 Six Apart, Six Apart Ltd | 2 Movable Type, Movable Type | 2026-04-18 | N/A |
| If a malformed data is input to the affected product, a CSV file downloaded from the affected product may contain such malformed data. When a victim user download and open such a CSV file, the embedded code may be executed in the user's environment. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. | ||||
| CVE-2026-23873 | 1 Hustoj | 1 Hustoj | 2026-04-18 | 9.0 Critical |
| hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize user-supplied input (specifically the "Nickname" field) before exporting it to an .xls file (which renders as an HTML table but is opened by Excel). If a malicious user sets their nickname to an Excel formula when an administrator exports and opens the rank list in Microsoft Excel, the formula will be executed. This can lead to arbitrary command execution (RCE) on the administrator's machine or data exfiltration. A fix was not available at the time of publication. | ||||
| CVE-2026-31049 | 1 Hostbillapp | 1 Hostbill | 2026-04-17 | 9.8 Critical |
| An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field | ||||
| CVE-2025-60852 | 1 Instant Developer | 1 Instant Developer Framework | 2026-04-15 | 6.5 Medium |
| A CSV Injection vulnerability existed in Instant Developer Foundation versions prior to 25.0.9600. Applications built with affected versions of the framework did not properly sanitize user-controlled input before including it in CSV exports. This issue could lead to code execution on the system where the exported CSV file is opened. | ||||
| CVE-2025-50572 | 2026-04-15 | 8.8 High | ||
| Archer 6.11.00204.10014 allows attackers to execute arbitrary code via crafted system inputs that would be exported into the CSV and be executed after the user opened the file with compatible applications. NOTE: the Supplier does not accept this as a valid vulnerability report against their product. | ||||
| CVE-2025-39245 | 1 Hikvision | 1 Hikcentral Master Lite | 2026-04-15 | 4.7 Medium |
| There is a CSV Injection Vulnerability in some HikCentral Master Lite versions. This could allow an attacker to inject executable commands via malicious CSV data. | ||||