Common Weakness Enumeration

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

CVE-2026-41073 (GCVE-0-2026-41073)

Vulnerability from cvelistv5 – Published: 2026-05-22 21:10 – Updated: 2026-05-23 02:57
VLAI
Title
RT: Spreadsheet downloads vulnerable to CSV/formula injection in Microsoft Excel and similar apps
Summary
RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
Impacted products
Vendor Product Version
bestpractical rt Affected: < 5.0.10
Affected: >= 6.0.0, < 6.0.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41073",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-23T02:57:10.802457Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-23T02:57:38.966Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rt",
          "vendor": "bestpractical",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.0.10"
            },
            {
              "status": "affected",
              "version": "\u003e= 6.0.0, \u003c 6.0.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1236",
              "description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T21:10:22.249Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/bestpractical/rt/security/advisories/GHSA-6x92-7v65-7m3r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/bestpractical/rt/security/advisories/GHSA-6x92-7v65-7m3r"
        },
        {
          "name": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bestpractical/rt/releases/tag/rt-5.0.10"
        },
        {
          "name": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bestpractical/rt/releases/tag/rt-6.0.3"
        }
      ],
      "source": {
        "advisory": "GHSA-6x92-7v65-7m3r",
        "discovery": "UNKNOWN"
      },
      "title": "RT: Spreadsheet downloads vulnerable to CSV/formula injection in Microsoft Excel and similar apps"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41073",
    "datePublished": "2026-05-22T21:10:22.249Z",
    "dateReserved": "2026-04-16T16:43:03.174Z",
    "dateUpdated": "2026-05-23T02:57:38.966Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42267 (GCVE-0-2026-42267)

Vulnerability from cvelistv5 – Published: 2026-05-08 03:28 – Updated: 2026-05-08 12:58
VLAI
Title
Kimai: Formula Injection via tag names in XLSX export
Summary
Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue() joins tag names with implode() and returns the result unchanged. OpenSpout promotes any =-prefixed string to a FormulaCell, writing <f>SUM(54+51)</f> into the XLSX archive. Excel evaluates the formula when the file is opened. This issue has been patched in version 2.54.0.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
References
Impacted products
Vendor Product Version
kimai kimai Affected: >= 2.27.0, < 2.54.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42267",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T12:57:49.978866Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T12:58:12.770Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/kimai/kimai/security/advisories/GHSA-3xc2-h5r3-wv3r"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kimai",
          "vendor": "kimai",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.27.0, \u003c 2.54.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue() joins tag names with implode() and returns the result unchanged. OpenSpout promotes any =-prefixed string to a FormulaCell, writing \u003cf\u003eSUM(54+51)\u003c/f\u003e into the XLSX archive. Excel evaluates the formula when the file is opened. This issue has been patched in version 2.54.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1236",
              "description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T03:28:52.226Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kimai/kimai/security/advisories/GHSA-3xc2-h5r3-wv3r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kimai/kimai/security/advisories/GHSA-3xc2-h5r3-wv3r"
        },
        {
          "name": "https://github.com/kimai/kimai/releases/tag/2.54.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kimai/kimai/releases/tag/2.54.0"
        }
      ],
      "source": {
        "advisory": "GHSA-3xc2-h5r3-wv3r",
        "discovery": "UNKNOWN"
      },
      "title": "Kimai: Formula Injection via tag names in XLSX export"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42267",
    "datePublished": "2026-05-08T03:28:52.226Z",
    "dateReserved": "2026-04-26T11:53:27.706Z",
    "dateUpdated": "2026-05-08T12:58:12.770Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46672 (GCVE-0-2026-46672)

Vulnerability from cvelistv5 – Published: 2026-07-07 20:55 – Updated: 2026-07-08 13:00
VLAI
Title
Actual: CSV Formula Injection in `@actual-app/cli` `--format csv` Output via Custom `escapeCsv` Helper
Summary
Actual is a local-first personal finance app. Prior to 26.6.0, @actual-app/cli ships a hand-rolled CSV serializer in packages/cli/src/output.ts used whenever the global --format csv option is passed, whose escapeCsv helper only handles RFC 4180 delimiter, quote, and newline escaping and does not neutralize standard CSV formula-injection prefixes. Any CLI command that streams an object array containing user-controlled strings, including transactions list, accounts list, payees list, categories list, tags list, category-groups list, rules list, schedules list, and query, can emit cells that auto-evaluate when the resulting CSV is opened in Excel, LibreOffice Calc, or Google Sheets, enabling data exfiltration and arbitrary formula execution. This issue is fixed in version 26.6.0.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
Impacted products
Vendor Product Version
actualbudget actual Affected: < 26.6.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-46672",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-08T12:59:38.913676Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-08T13:00:02.162Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/actualbudget/actual/security/advisories/GHSA-7gh7-258j-4mpq"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "actual",
          "vendor": "actualbudget",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 26.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Actual is a local-first personal finance app. Prior to 26.6.0, @actual-app/cli ships a hand-rolled CSV serializer in packages/cli/src/output.ts used whenever the global --format csv option is passed, whose escapeCsv helper only handles RFC 4180 delimiter, quote, and newline escaping and does not neutralize standard CSV formula-injection prefixes. Any CLI command that streams an object array containing user-controlled strings, including transactions list, accounts list, payees list, categories list, tags list, category-groups list, rules list, schedules list, and query, can emit cells that auto-evaluate when the resulting CSV is opened in Excel, LibreOffice Calc, or Google Sheets, enabling data exfiltration and arbitrary formula execution. This issue is fixed in version 26.6.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1236",
              "description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-07T20:55:02.846Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/actualbudget/actual/security/advisories/GHSA-7gh7-258j-4mpq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/actualbudget/actual/security/advisories/GHSA-7gh7-258j-4mpq"
        },
        {
          "name": "https://github.com/actualbudget/actual/pull/7859",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/actualbudget/actual/pull/7859"
        },
        {
          "name": "https://github.com/actualbudget/actual/commit/068185751c03b42e726e3c60b718413d5f96c306",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/actualbudget/actual/commit/068185751c03b42e726e3c60b718413d5f96c306"
        },
        {
          "name": "https://github.com/actualbudget/actual/releases/tag/v26.6.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/actualbudget/actual/releases/tag/v26.6.0"
        }
      ],
      "source": {
        "advisory": "GHSA-7gh7-258j-4mpq",
        "discovery": "UNKNOWN"
      },
      "title": "Actual: CSV Formula Injection in `@actual-app/cli` `--format csv` Output via Custom `escapeCsv` Helper"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-46672",
    "datePublished": "2026-07-07T20:55:02.846Z",
    "dateReserved": "2026-05-15T21:46:51.547Z",
    "dateUpdated": "2026-07-08T13:00:02.162Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47693 (GCVE-0-2026-47693)

Vulnerability from cvelistv5 – Published: 2026-06-23 22:07 – Updated: 2026-06-24 14:46
VLAI
Title
Poweradmin: CSV Injection in log export endpoints allows formula execution in spreadsheet applications
Summary
Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 are vulnerable to CSV Injection (Formula Injection) in its log export functionality. User-controlled data — specifically the username field — is written to exported CSV files without sanitizing formula trigger characters (=, +, -, @). When an administrator exports activity logs and opens the resulting CSV in a spreadsheet application (Microsoft Excel, LibreOffice Calc, Google Sheets), any formula stored in a username is executed by the application. This can be used for phishing attacks against administrators or data exfiltration. Versions 4.2.4 and 4.3.3 patch the issue.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
Impacted products
Vendor Product Version
poweradmin poweradmin Affected: < 4.2.4
Affected: >= 4.3.0, < 4.3.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47693",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T14:45:52.225041Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T14:46:24.461Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/poweradmin/poweradmin/security/advisories/GHSA-3h6h-67x3-cv5x"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "poweradmin",
          "vendor": "poweradmin",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.2.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.3.0, \u003c 4.3.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 are vulnerable to CSV Injection (Formula Injection) in its log export functionality. User-controlled data \u2014 specifically the username field \u2014 is written to exported CSV files without sanitizing formula trigger characters (=, +, -, @). When an administrator exports activity logs and opens the resulting CSV in a spreadsheet application (Microsoft Excel, LibreOffice Calc, Google Sheets), any formula stored in a username is executed by the application. This can be used for phishing attacks against administrators or data exfiltration. Versions 4.2.4 and 4.3.3 patch the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1236",
              "description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T22:09:15.910Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/poweradmin/poweradmin/security/advisories/GHSA-3h6h-67x3-cv5x",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/poweradmin/poweradmin/security/advisories/GHSA-3h6h-67x3-cv5x"
        },
        {
          "name": "https://github.com/poweradmin/poweradmin/releases/tag/v4.2.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/poweradmin/poweradmin/releases/tag/v4.2.4"
        },
        {
          "name": "https://github.com/poweradmin/poweradmin/releases/tag/v4.3.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/poweradmin/poweradmin/releases/tag/v4.3.3"
        }
      ],
      "source": {
        "advisory": "GHSA-3h6h-67x3-cv5x",
        "discovery": "UNKNOWN"
      },
      "title": "Poweradmin: CSV Injection in log export endpoints allows formula execution in spreadsheet applications"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-47693",
    "datePublished": "2026-06-23T22:07:25.569Z",
    "dateReserved": "2026-05-19T21:18:20.403Z",
    "dateUpdated": "2026-06-24T14:46:24.461Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-50179 (GCVE-0-2026-50179)

Vulnerability from cvelistv5 – Published: 2026-07-07 20:58 – Updated: 2026-07-09 14:42
VLAI
Title
Actual: CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields
Summary
Actual is a local-first personal finance tool. Prior to 26.6.0, exportToCSV and exportQueryToCSV in packages/loot-core/src/server/transactions/export/export-to-csv.ts pass user-controlled Payee, Notes, Account, and Category strings to csv-stringify with no cast callback and no formula-prefix neutralization. Strings that begin with equals sign, plus, minus, at sign, tab, or carriage return survive verbatim into the exported CSV, and when a recipient opens the file in Excel, LibreOffice Calc, or Google Sheets, the strings are interpreted as formulas, enabling transaction data exfiltration and attacker-chosen spreadsheet display values. This issue is fixed in version 26.6.0.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
Impacted products
Vendor Product Version
actualbudget actual Affected: < 26.6.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-50179",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-09T14:21:10.601992Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T14:42:17.117Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "actual",
          "vendor": "actualbudget",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 26.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Actual is a local-first personal finance tool. Prior to 26.6.0, exportToCSV and exportQueryToCSV in packages/loot-core/src/server/transactions/export/export-to-csv.ts pass user-controlled Payee, Notes, Account, and Category strings to csv-stringify with no cast callback and no formula-prefix neutralization. Strings that begin with equals sign, plus, minus, at sign, tab, or carriage return survive verbatim into the exported CSV, and when a recipient opens the file in Excel, LibreOffice Calc, or Google Sheets, the strings are interpreted as formulas, enabling transaction data exfiltration and attacker-chosen spreadsheet display values. This issue is fixed in version 26.6.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1236",
              "description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-07T20:58:16.074Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/actualbudget/actual/security/advisories/GHSA-xqjm-27pc-rvwm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/actualbudget/actual/security/advisories/GHSA-xqjm-27pc-rvwm"
        },
        {
          "name": "https://github.com/actualbudget/actual/commit/068185751c03b42e726e3c60b718413d5f96c306",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/actualbudget/actual/commit/068185751c03b42e726e3c60b718413d5f96c306"
        },
        {
          "name": "https://github.com/actualbudget/actual/releases/tag/v26.6.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/actualbudget/actual/releases/tag/v26.6.0"
        }
      ],
      "source": {
        "advisory": "GHSA-xqjm-27pc-rvwm",
        "discovery": "UNKNOWN"
      },
      "title": "Actual: CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-50179",
    "datePublished": "2026-07-07T20:58:16.074Z",
    "dateReserved": "2026-06-03T22:05:13.644Z",
    "dateUpdated": "2026-07-09T14:42:17.117Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-5242 (GCVE-0-2026-5242)

Vulnerability from cvelistv5 – Published: 2026-06-15 12:47 – Updated: 2026-06-15 15:59
VLAI
Title
Code Injection in Mia Technologies' Pizzy Library
Summary
Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc. Pizzy Library allows Code Injection. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1236 - Improper neutralization of formula elements in a CSV file
Assigner
References
Impacted products
Vendor Product Version
MIA Technology Inc. Pizzy Library Affected: 1.0.0.26250 , < 1.3.9.26250 (custom)
Create a notification for this product.
Date Public
2026-06-15 12:44
Credits
Ahmet DURMUŞ STM Savunma Teknolojileri Mühendislik ve Ticaret A.Ş.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-5242",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T15:58:47.887349Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T15:59:03.264Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Pizzy Library",
          "vendor": "MIA Technology Inc.",
          "versions": [
            {
              "lessThan": "1.3.9.26250",
              "status": "affected",
              "version": "1.0.0.26250",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ahmet DURMU\u015e"
        },
        {
          "lang": "en",
          "type": "sponsor",
          "value": "STM Savunma Teknolojileri M\u00fchendislik ve Ticaret A.\u015e."
        }
      ],
      "datePublic": "2026-06-15T12:44:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc. Pizzy Library allows Code Injection.\u003cp\u003eThis issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.\u003c/p\u003e"
            }
          ],
          "value": "Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc. Pizzy Library allows Code Injection.\n\nThis issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-242",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-242 Code Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1236",
              "description": "CWE-1236 Improper neutralization of formula elements in a CSV file",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T13:47:05.726Z",
        "orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
        "shortName": "TR-CERT"
      },
      "references": [
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0383"
        }
      ],
      "source": {
        "advisory": "TR-26-0383",
        "defect": [
          "TR-26-0383"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Code Injection in Mia Technologies\u0027 Pizzy Library",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
    "assignerShortName": "TR-CERT",
    "cveId": "CVE-2026-5242",
    "datePublished": "2026-06-15T12:47:51.609Z",
    "dateReserved": "2026-03-31T14:31:37.706Z",
    "dateUpdated": "2026-06-15T15:59:03.264Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}





Mitigation

Phase: Implementation

Description:

  • When generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Mitigation

Phase: Implementation

Description:

  • If a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Mitigation

Phase: Architecture and Design

Description:

  • Certain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page