CWE-1236: Improper Neutralization of Formula Elements in a CSV File
Also known as: CSV Injection, Formula Injection, Excel Macro Injection
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Last updated
Overview
CWE-1236 (Improper Neutralization of Formula Elements in a CSV File) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Background
User-provided data is often saved to traditional databases. This data can be exported to a CSV file, which allows users to read the data using spreadsheet software such as Excel, Numbers, or Calc. This software interprets entries beginning with '=' as formulas, which are then executed by the spreadsheet software. The software's formula language often allows methods to access hyperlinks or the local command line, and frequently allows enough characters to invoke an entire script.
Real-world CVEs
173 recorded CVEs are caused by CWE-1236 (Improper Neutralization of Formula Elements in a CSV File). The highest-severity and most recent are shown first. 22 new CWE-1236 CVEs have been recorded so far in 2026 (42 in 2025).
- CVE-2026-35157Critical · CVSS 9.8 · EPSS 24th2026-05-11
- CVE-2026-31049Critical · CVSS 9.8 · EPSS 47th2026-04-14
- CVE-2025-56267Critical · CVSS 9.8 · EPSS 48th2025-09-08
- CVE-2023-47295Critical · CVSS 9.8 · EPSS 41th2025-06-23
- CVE-2024-55532
Apache Ranger: Improper Neutralization of Formula Elements in a CSV File
Critical · CVSS 9.8 · EPSS 50th2025-03-03 - CVE-2023-46400Critical · CVSS 9.8 · EPSS 28th2025-01-23
- CVE-2023-46401Critical · CVSS 9.8 · EPSS 38th2025-01-23
- CVE-2024-3214
Relevanssi – A Better Search <= 4.22.1 - Unauthenticated Second Order CSV Injection
Critical · CVSS 9.8 · EPSS 51th2024-04-09 - CVE-2024-29375Critical · CVSS 9.8 · EPSS 71th2024-04-04
- CVE-2023-35899Critical · CVSS 9.8 · EPSS 47th2024-03-05
- CVE-2022-45360
WordPress Commenter Emails Plugin <= 2.6.1 is vulnerable to CSV Injection
Critical · CVSS 9.8 · EPSS 45th2023-11-07 - CVE-2022-45370
WordPress WordPress Comments Import & Export Plugin <= 2.3.1 is vulnerable to CSV Injection
Critical · CVSS 9.8 · EPSS 54th2023-11-07
Showing 12 of 173 recorded CWE-1236 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-1236 vulnerabilitiesCommon consequences
What can happen when CWE-1236 is exploited.
Read Application Data, Execute Unauthorized Code or Commands
Affects: Confidentiality
Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-1236, grouped by where in the lifecycle they apply.
When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Effectiveness: Moderate — Unfortunately, there is no perfect solution, since different spreadsheet products act differently.
If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Effectiveness: Moderate — It is not clear how effective this mitigation is with other spreadsheet software.
Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
Effectiveness: Limited — This mitigation has limited effectiveness because it often depends on end users opening spreadsheet software safely.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
Hyperlinks or other commands can be executed when a cell begins with the formula identifier, '='
Stripping the leading equals sign, or simply not executing formulas from untrusted sources, impedes malicious activity.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2019-12134 — Low privileged user can trigger CSV injection through a contact form field value
- CVE-2019-4521 — Cloud management product allows arbitrary command execution via CSV injection
- CVE-2019-17661 — CSV injection in content management system via formula code in a first or last name
Terminology & mappings
Alternate terms
- CSV Injection
- Formula Injection
- Excel Macro Injection
Frequently asked questions
Common questions about CWE-1236.
- What is CWE-1236?
- The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
- What CVEs are caused by CWE-1236?
- 173 recorded CVEs are attributed to CWE-1236, including CVE-2026-35157, CVE-2026-31049, CVE-2025-56267.
- How do you prevent CWE-1236?
- When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
- How is CWE-1236 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-1236?
- Exploiting CWE-1236 can lead to: Read Application Data, Execute Unauthorized Code or Commands.
- Is CWE-1236 actively exploited?
- 173 recorded CVEs are caused by CWE-1236; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1236) (opens in a new tab)
- CWE-1236 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1236
Get alerted the moment a new CWE-1236 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.