Cyber Resilience

CVE-2023-54348

HighPublic PoC

Published: 05 May 2026

Published
05 May 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0035 27.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2023-54348 is a high-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Codecanyon (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Windows Command Shell (T1059.003); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2023-54348 is a CSV injection vulnerability (CWE-1236) affecting ERPGo SaaS version 3.9, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue exists in the vendor creation form, where the vendor name field allows injection of formula payloads that can lead to arbitrary code execution. Published on 2026-05-05, the vulnerability enables attackers to embed malicious formulas, such as =10+20+cmd|' /C calc'!A0, into exported CSV files.

Authenticated attackers with low privileges (PR:L) can exploit this vulnerability by creating a vendor record with a crafted formula in the name field. When another user, such as an administrator, exports a CSV file containing the malicious vendor data and opens it in a spreadsheet application like Microsoft Excel, the formula executes automatically without user interaction (UI:N). This results in arbitrary code execution on the victim's local machine, potentially compromising confidentiality, integrity, and availability with high impact.

Advisories and resources, including the VulnCheck advisory at https://www.vulncheck.com/advisories/erpgo-saas-csv-injection-via-vendor-creation and a proof-of-concept exploit on Exploit-DB at https://www.exploit-db.com/exploits/51220, document the issue. The affected ERPGo SaaS product is available on CodeCanyon at https://codecanyon.net/item/erpgo-saas-all-in-one-business-erp-with-project-account-hrm-crm-pos/33263426 and via https://rajodiya.com/.

EU & UK References

Vulnerability details

ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to inject spreadsheet formulas into vendor name fields that execute on the workstation of users who open the exported CSV in a spreadsheet application. Attackers can add malicious…

more

formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

CSV formula injection directly enables embedding of malicious payloads (e.g., cmd.exe execution via Excel formulas) that run automatically on file open, mapping to Windows Command Shell execution and Malicious File user execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2021-47901Shared CWE-1236
CVE-2020-36941Shared CWE-1236
CVE-2023-51336Shared CWE-1236
CVE-2025-67851Shared CWE-1236
CVE-2023-51333Shared CWE-1236
CVE-2025-50572Shared CWE-1236
CVE-2026-23873Shared CWE-1236
CVE-2023-51311Shared CWE-1236
CVE-2025-56267Shared CWE-1236
CVE-2023-51319Shared CWE-1236

Affected Assets

Codecanyon
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all inputs (vendor name field) to reject or neutralize formula payloads before storage.

prevent

Requires filtering or encoding of exported data (CSV files) to neutralize spreadsheet formulas and block automatic execution on open.

preventdetect

Ensures integrity verification of stored and exported information to detect or block unauthorized formula injection in vendor records.

References