Spreadsheet Formula Injection in Statamic CMS
CVE-2026-54243

6.1MEDIUM

Key Information:

Vendor

Statamic

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-54243?

Statamic CMS, a content management system built on Laravel and Git, is susceptible to a vulnerability where form submissions can contain unneutralized spreadsheet formula characters. This issue arises in versions prior to 5.73.24 and 6.20.1, specifically in the CSV export functionality. An unauthenticated front-end user can submit malicious values that begin with formula trigger characters, such as =, +, -, or @. When an editor opens the exported CSV file in a spreadsheet application, these values may be executed as live formulas, presenting a significant security risk. This vulnerability has been resolved in the aforementioned versions.

Affected Version(s)

cms < 5.73.24 < 5.73.24

cms >= 6.0.0, < 6.20.1 < 6.0.0, 6.20.1

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.