CVE-2023-54348
Published: 05 May 2026
Summary
CVE-2023-54348 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Codecanyon (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Windows Command Shell (T1059.003); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2023-54348 is a CSV injection vulnerability (CWE-1236) affecting ERPGo SaaS version 3.9, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue exists in the vendor creation form, where the vendor name field allows injection of formula payloads that can lead to arbitrary code execution. Published on 2026-05-05, the vulnerability enables attackers to embed malicious formulas, such as =10+20+cmd|' /C calc'!A0, into exported CSV files.
Authenticated attackers with low privileges (PR:L) can exploit this vulnerability by creating a vendor record with a crafted formula in the name field. When another user, such as an administrator, exports a CSV file containing the malicious vendor data and opens it in a spreadsheet application like Microsoft Excel, the formula executes automatically without user interaction (UI:N). This results in arbitrary code execution on the victim's local machine, potentially compromising confidentiality, integrity, and availability with high impact.
Advisories and resources, including the VulnCheck advisory at https://www.vulncheck.com/advisories/erpgo-saas-csv-injection-via-vendor-creation and a proof-of-concept exploit on Exploit-DB at https://www.exploit-db.com/exploits/51220, document the issue. The affected ERPGo SaaS product is available on CodeCanyon at https://codecanyon.net/item/erpgo-saas-all-in-one-business-erp-with-project-account-hrm-crm-pos/33263426 and via https://rajodiya.com/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-60572
Vulnerability details
ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to inject spreadsheet formulas into vendor name fields that execute on the workstation of users who open the exported CSV in a spreadsheet application. Attackers can add malicious…
more
formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSV formula injection directly enables embedding of malicious payloads (e.g., cmd.exe execution via Excel formulas) that run automatically on file open, mapping to Windows Command Shell execution and Malicious File user execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all inputs (vendor name field) to reject or neutralize formula payloads before storage.
Requires filtering or encoding of exported data (CSV files) to neutralize spreadsheet formulas and block automatic execution on open.
Ensures integrity verification of stored and exported information to detect or block unauthorized formula injection in vendor records.