CWE-1236

A CSV injection vulnerability exists in the web UI of SolarWinds Serv-U FTP Server v15.1.7.

myTinyTodo 1.3.3 through 1.4.3 allows CSV Injection. This is fixed in 1.5.

LiveZilla Server before 8.0.1.1 is vulnerable to CSV Injection in the Export Function.

An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection.

CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in Workday through 32 via a value (provided by a low-privileged user in a contact form field) that is mishandled in a CSV export.

The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnerable to CSV Injection as it allows for injecting malicious code into a pop-up window. Successful exploitation grants an attacker with a right to execute malicious code on the administrator’s computer through Excel functions as the plugin does not sanitize the user’s input and allows insertion of any text.