Spreadsheet Formula Injection in Statamic CMS
CVE-2026-54243
6.1MEDIUM
What is CVE-2026-54243?
Statamic CMS, a content management system built on Laravel and Git, is susceptible to a vulnerability where form submissions can contain unneutralized spreadsheet formula characters. This issue arises in versions prior to 5.73.24 and 6.20.1, specifically in the CSV export functionality. An unauthenticated front-end user can submit malicious values that begin with formula trigger characters, such as =, +, -, or @. When an editor opens the exported CSV file in a spreadsheet application, these values may be executed as live formulas, presenting a significant security risk. This vulnerability has been resolved in the aforementioned versions.
Affected Version(s)
cms < 5.73.24 < 5.73.24
cms >= 6.0.0, < 6.20.1 < 6.0.0, 6.20.1
