CVE-2026-54243: CWE-1236: Improper Neutralization of Formula Elements in a CSV File in statamic cms
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.24 and 6.20.1, form submission values in src/Forms/Exporters/CsvExporter.php were not neutralized for spreadsheet formula characters when exported to CSV. A submission containing a value beginning with a formula trigger character, such as =, +, -, or @, could be interpreted as a live formula when a Control Panel user opens the export in a spreadsheet application. Form submissions can come from unauthenticated front-end visitors, so the malicious value can be supplied by an anonymous user and is later triggered by an editor opening the export. This issue is fixed in versions 5.73.24 and 6.20.1.
AI Analysis
Technical Summary
CVE-2026-54243 is an improper neutralization of formula elements vulnerability (CWE-1236) in Statamic CMS. Specifically, in the CsvExporter.php file, form submission values are exported to CSV without sanitizing leading formula trigger characters. Since form submissions can be made by unauthenticated front-end visitors, an attacker can inject malicious formula strings that are executed when a Control Panel user opens the CSV export in a spreadsheet application. This vulnerability affects versions prior to 5.73.24 and 6.20.1 and has a CVSS 3.1 score of 6.1 (medium severity).
Potential Impact
An attacker can supply malicious input containing spreadsheet formula trigger characters in form submissions. When a Control Panel user opens the exported CSV file, these values may be interpreted as live formulas, potentially leading to formula injection attacks. This can result in limited confidentiality and integrity impacts, such as data leakage or manipulation within the spreadsheet environment. There is no indication of availability impact or known exploits in the wild.
Mitigation Recommendations
This vulnerability is fixed in Statamic CMS versions 5.73.24 and 6.20.1. Users should upgrade to these versions or later to remediate the issue. No vendor advisory is provided, but the fix versions are explicitly stated. Until upgraded, users should exercise caution when opening CSV exports from untrusted form submissions.
CVE-2026-54243: CWE-1236: Improper Neutralization of Formula Elements in a CSV File in statamic cms
Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.24 and 6.20.1, form submission values in src/Forms/Exporters/CsvExporter.php were not neutralized for spreadsheet formula characters when exported to CSV. A submission containing a value beginning with a formula trigger character, such as =, +, -, or @, could be interpreted as a live formula when a Control Panel user opens the export in a spreadsheet application. Form submissions can come from unauthenticated front-end visitors, so the malicious value can be supplied by an anonymous user and is later triggered by an editor opening the export. This issue is fixed in versions 5.73.24 and 6.20.1.
CVSS v3.1
Score 6.1medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-54243 is an improper neutralization of formula elements vulnerability (CWE-1236) in Statamic CMS. Specifically, in the CsvExporter.php file, form submission values are exported to CSV without sanitizing leading formula trigger characters. Since form submissions can be made by unauthenticated front-end visitors, an attacker can inject malicious formula strings that are executed when a Control Panel user opens the CSV export in a spreadsheet application. This vulnerability affects versions prior to 5.73.24 and 6.20.1 and has a CVSS 3.1 score of 6.1 (medium severity).
Potential Impact
An attacker can supply malicious input containing spreadsheet formula trigger characters in form submissions. When a Control Panel user opens the exported CSV file, these values may be interpreted as live formulas, potentially leading to formula injection attacks. This can result in limited confidentiality and integrity impacts, such as data leakage or manipulation within the spreadsheet environment. There is no indication of availability impact or known exploits in the wild.
Mitigation Recommendations
This vulnerability is fixed in Statamic CMS versions 5.73.24 and 6.20.1. Users should upgrade to these versions or later to remediate the issue. No vendor advisory is provided, but the fix versions are explicitly stated. Until upgraded, users should exercise caution when opening CSV exports from untrusted form submissions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-12T16:25:43.085Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a5b5eaa2d1edb114c7fb16b
Added to database: 07/18/2026, 11:08:26 UTC
Last enriched: 07/18/2026, 11:49:56 UTC
Last updated: 07/18/2026, 13:12:42 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.