The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection.
CWE-1236
CVE-2018-16275
OPSWAT MetaDefender before v4.11.2 allows CSV injection.
CVE-2018-15571
The Export Users to CSV plugin through 1.1.1 for WordPress allows CSV injection.
CVE-2018-15474
** DISPUTED ** CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated “this is not a security problem in DokuWiki.”
CVE-2018-12244
SEP (Mac client) prior to and including 12.1 RU6 MP9 and prior to 14.2 RU1 may be susceptible to a CSV/DDE injection (also known as formula injection) vulnerability, which is a type of issue whereby an application or website allows untrusted input into CSV files.
CVE-2018-11652
CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report.