TableField - Moderately Critical - CSV Injection

Project

TableField

Date

May 20, 2026

Severity

Moderately Critical

Risk Score

10/25 AC:None/A:User/CI:None/II:None/E:Theoretical/TD:All

Vulnerability

CSV Injection

Affected versions

<7.x-3.6

Description

The TableField module provides a field type that allows users to embed tabular data within Drupal content and export it as a CSV file.

The module did not sanitize table cell values before writing them to the CSV file via fputcsv() in tablefield_export_csv(), making it vulnerable to CSV injection.

This vulnerability is mitigated by the fact that exploitation requires an administrator to export the table data and then open the resulting CSV file in a spreadsheet application that evaluates formulas on open (e.g., Microsoft Excel, LibreOffice Calc).

Solution

Install the latest version.

If you use the TableField module for Drupal 7, upgrade to tablefield 7.x-3.7:

tablefield 7.x-3.7.tar.gz
tablefield 7.x-3.7.zip

Reported by

Ra Mänd (ram4nd)

Fixed by

Tag1 D7ES

Coordinated by

Tag1 D7ES