CVE-2026-54243
Received Received - Intake

CSV Formula Injection in Statamic CMS

Vulnerability report for CVE-2026-54243, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.24 and 6.20.1, form submission values in src/Forms/Exporters/CsvExporter.php were not neutralized for spreadsheet formula characters when exported to CSV. A submission containing a value beginning with a formula trigger character, such as =, +, -, or @, could be interpreted as a live formula when a Control Panel user opens the export in a spreadsheet application. Form submissions can come from unauthenticated front-end visitors, so the malicious value can be supplied by an anonymous user and is later triggered by an editor opening the export. This issue is fixed in versions 5.73.24 and 6.20.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
statamic statamic to 5.73.24 (inc)
statamic statamic to 6.20.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1236 The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Statamic CMS versions before 5.73.24 and 6.20.1. It involves improper neutralization of spreadsheet formula characters in form submission values when exported to CSV. Attackers can inject values starting with characters like =, +, -, or @, which are interpreted as live formulas when opened in spreadsheet software.

Detection Guidance

Check if your Statamic version is below 5.73.24 or 6.20.1. Inspect CSV exports for formula characters like =, +, -, or @ at the start of values. Monitor form submissions for unusual inputs.

Impact Analysis

Unauthenticated users can submit malicious form data that, when exported and opened by an editor, executes unintended spreadsheet formulas. This could lead to data leaks, unauthorized actions, or manipulation of exported data without direct system access.

Compliance Impact

This vulnerability may violate compliance requirements for data integrity and confidentiality under GDPR and HIPAA. Unauthorized data exposure or manipulation through formula injection could result in breaches of protected health information or personal data, leading to regulatory penalties.

Mitigation Strategies

Upgrade Statamic to version 5.73.24 or 6.20.1 or later. Review and sanitize form submissions before processing. Implement input validation to block formula characters in submissions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54243. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart