CWE-1236 类漏洞列表 132

CWE-1236 类弱点 132 条 CVE 漏洞汇总，含 AI 中文分析。

CWE-1236 属于 CSV 注入漏洞，指程序将用户输入写入 CSV 文件时未对特殊字符进行适当转义。攻击者利用此缺陷，在数据中嵌入以等号、加号或制表符开头的恶意公式，当受害者使用电子表格软件打开文件时，这些公式会被自动执行，可能导致数据泄露、远程代码执行或系统配置篡改。开发者应通过转义特殊字符、限制输入内容或采用非公式格式存储数据来防御此类攻击。

MITRE CWE 官方描述

CWE：CWE-1236 CSV 文件中公式元素的不当中和英文：产品将用户提供的信息保存到逗号分隔值（Comma-Separated Value, CSV）文件中，但未对特殊元素进行中和，或中和不当，导致当文件被电子表格产品打开时，这些元素可能被解释为命令。

常见影响 (1)

ConfidentialityRead Application Data, Execute Unauthorized Code or Commands

Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.

缓解措施 (3)

ImplementationWhen generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).

Effectiveness: Moderate

ImplementationIf a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.

Effectiveness: Moderate

Architecture and DesignCertain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.

Effectiveness: Limited

代码示例 (1)

Hyperlinks or other commands can be executed when a cell begins with the formula identifier, '='

=HYPERLINK(link_location, [friendly_name])

Attack · Other

HYPERLINK(link_location, [friendly_name])

Good · Other

CVE ID	标题	CVSS	风险等级	Published
CVE-2026-10248	SourceCodester Pharmacy 系统供应商创建CSV注入漏洞 — Pharmacy Sales and Inventory System	4.7	Medium	2026-06-01
CVE-2026-9673	json-2-csv 安全漏洞 — json-2-csv	6.8	Medium	2026-05-28
CVE-2026-41073	Request Tracker 安全漏洞 — rt	4.6	Medium	2026-05-22
CVE-2026-35157	Dell ECS和Dell ObjectScale 安全漏洞 — ECS	5.8	Medium	2026-05-11
CVE-2026-42267	kimai 安全漏洞 — kimai	6.5^AI	Medium^AI	2026-05-08
CVE-2026-27644	Traccar 安全漏洞 — traccar	6.5	Medium	2026-05-05
CVE-2023-54348	Rajodiya ERPGo SaaS 安全漏洞 — ERPGo SaaS	8.8	High	2026-05-05
CVE-2026-39424	MaxKB 安全漏洞 — MaxKB	7.8	-	2026-04-14
CVE-2026-24447	Movable Type 安全漏洞 — Movable Type (Software Edition)	8.6^AI	High^AI	2026-02-04
CVE-2025-67851	Moodle 安全漏洞	6.1	Medium	2026-02-03
CVE-2020-36962	Tendenci 安全漏洞 — Tendenci	9.8	Critical	2026-01-28
CVE-2021-47901	dirsearch 安全漏洞 — dirsearch	9.8	Critical	2026-01-27
CVE-2020-36941	Knock Subdomain Scan 安全漏洞 — knock	9.8	Critical	2026-01-27
CVE-2026-23873	HUSTOJ 安全漏洞 — hustoj	8.0^AI	High^AI	2026-01-21
CVE-2025-61873	Request Tracker 安全漏洞 — Request Tracker	2.6	Low	2026-01-16
CVE-2023-53929	phpMyFAQ 安全漏洞 — phpMyFAQ	8.8	High	2025-12-17
CVE-2023-53913	Rukovoditel 安全漏洞 — Rukovoditel	8.8	High	2025-12-17
CVE-2023-53905	ProjectSend 安全漏洞 — projectSend	8.0	High	2025-12-17
CVE-2025-14229	SourceCodester Inventory Management System 安全漏洞 — Inventory Management System	4.7	Medium	2025-12-08
CVE-2025-13133	WordPress plugin Simple User Import Export 安全漏洞 — Simple User Import Export	6.6	Medium	2025-11-18
CVE-2025-12249	Axosoft Scrum and Bug Tracking 安全漏洞 — Scrum and Bug Tracking	6.3	Medium	2025-10-27
CVE-2025-11576	WordPress plugin AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant 安全漏洞 — AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant	4.3	Medium	2025-10-24
CVE-2025-62417	Webkul Software Bagisto 安全漏洞 — bagisto	7.8^AI	High^AI	2025-10-16
CVE-2025-11498	B&R Automation Runtime 安全漏洞 — Automation Runtime	6.1	Medium	2025-10-14
CVE-2025-11254	WordPress plugin Contest Gallery – Upload, Vote & Sell with PayPal and Stripe 安全漏洞 — Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe	4.3	Medium	2025-10-11
CVE-2025-11279	Axosoft Scrum and Bug Tracking 安全漏洞 — Scrum and Bug Tracking	5.5	Medium	2025-10-05
CVE-2025-35033	Medical Informatics Engineering Enterprise Health 安全漏洞 — Enterprise Health	4.1	Medium	2025-09-29
CVE-2025-58855	WordPress plugin AP HoneyPot 安全漏洞 — AP HoneyPot WordPress Plugin	7.1	High	2025-09-05
CVE-2025-55745	UnoPim 安全漏洞 — unopim	8.8^AI	High^AI	2025-08-22
CVE-2025-9241	ELADMIN 安全漏洞 — eladmin	6.3	Medium	2025-08-20

CWE-1236 是常见的弱点类别，本平台收录该类弱点关联的 132 条 CVE 漏洞。

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

CWE-1236 类漏洞列表 132

目标达成感谢每一位支持者 — 我们达成了 100% 目标！