CVE-2023-54348
Published: 05 May 2026
Summary
CVE-2023-54348 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Codecanyon (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates inputs to the vendor creation form to reject malicious formula payloads before they are stored in the system.
Filters formula payloads from vendor data during CSV export to prevent arbitrary code execution when opened in spreadsheets.
Directly addresses remediation of the CSV injection flaw in the vendor name field through identification, reporting, and correction.
NVD Description
ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Attackers can add malicious formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute…
more
when the exported CSV file is opened in spreadsheet applications.
Deeper analysisAI
CVE-2023-54348 is a CSV injection vulnerability (CWE-1236) affecting ERPGo SaaS version 3.9, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue exists in the vendor creation form, where the vendor name field allows injection of formula payloads that can lead to arbitrary code execution. Published on 2026-05-05, the vulnerability enables attackers to embed malicious formulas, such as =10+20+cmd|' /C calc'!A0, into exported CSV files.
Authenticated attackers with low privileges (PR:L) can exploit this vulnerability by creating a vendor record with a crafted formula in the name field. When another user, such as an administrator, exports a CSV file containing the malicious vendor data and opens it in a spreadsheet application like Microsoft Excel, the formula executes automatically without user interaction (UI:N). This results in arbitrary code execution on the victim's local machine, potentially compromising confidentiality, integrity, and availability with high impact.
Advisories and resources, including the VulnCheck advisory at https://www.vulncheck.com/advisories/erpgo-saas-csv-injection-via-vendor-creation and a proof-of-concept exploit on Exploit-DB at https://www.exploit-db.com/exploits/51220, document the issue. The affected ERPGo SaaS product is available on CodeCanyon at https://codecanyon.net/item/erpgo-saas-all-in-one-business-erp-with-project-account-hrm-crm-pos/33263426 and via https://rajodiya.com/.
Details
- CWE(s)