ChurchCRM is an open source CRM system for churches. ChurchCRM version 4.2.0 suffers from a CSV injection vulnerability that originates from improperly neutralized formula elements in a CSV file, which can be exploited by a remote attacker to execute arbitrary code via a crafted CSV file.