CVE-2026-54243
published 2026-06-26CVE-2026-54243: Statamic Vulnerable to CSV formula injection in form submission exports ### Impact Form submission values were not neutralized for spreadsheet formula…
medium
Statamic Vulnerable to CSV formula injection in form submission exports ### Impact Form submission values were not neutralized for spreadsheet formula characters when exported to CSV. A submission containing a value beginning with a formula trigger character (e.g. = , + , - , @ ) could be interpreted as a live formula when a Control Panel user opens the export in a spreadsheet application. Form submissions can come from unauthenticated front-end visitors, so the malicious value can be supplied by an anonymous user and is later triggered by an editor opening the export. Exploitation affects the spreadsheet application used to open the export, not the Statamic application or server; the data at risk is the form submission data the exporting user is already authorized to view. ### Patches This has been fixed in 5.73.24 and 6.20.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| statamic | cms | >= 0 < 5.73.24 | 5.73.24 |
| statamic | cms | >= 6.0.0 < 6.20.1 | 6.20.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-26
Published