CVE-2026-9673
6.8 MEDIUMVersions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which...
Published: 2026-05-28 · Last updated: 2026-05-29
Severity and scoring
- CVSS
- 6.8 MEDIUM
- Vector
- CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- CWE
- CWE-1236
Description
Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-9673
- [Other]https://gist.github.com/whoamins/299745a2d36b482b44e9613b78e40613
- [Other]https://github.com/mrodrig/json-2-csv/blob/main/src/json2csv.ts%23L410
- [Other]https://github.com/mrodrig/json-2-csv/commit/0fdd0bb6d0273178cd940afc323ccbce19688229
- [Other]https://security.snyk.io/vuln/SNYK-JS-JSON2CSV-14221326
Related CVEs
Same CWE
- CVE-2025-52612 — HCL iControl was affected by Export CSV - CSV Injection vulnerability (7.1 HIGH)
- CVE-2026-10248 — A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0 (4.7 MEDIUM)
- CVE-2026-41073 — RT is an open source, enterprise-grade issue and ticket tracking system (4.6 MEDIUM)
- CVE-2023-54348 — ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula ... (8.8 HIGH)