CVE-2026-9673
7
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Summary
Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | json-2-csv | 3.15.0 < 5.5.11 | affected |
| n/a | org.webjars.npm:json-2-csv | 0 < * | affected |
Weaknesses
- CWE-1236: CSV Injection
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://security.snyk.io/vuln/SNYK-JS-JSON2CSV-14221326
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-17115116
- https://github.com/mrodrig/json-2-csv/blob/main/src/json2csv.ts%23L410
- https://gist.github.com/whoamins/299745a2d36b482b44e9613b78e40613
- https://github.com/mrodrig/json-2-csv/commit/0fdd0bb6d0273178cd940afc323ccbce19688229
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.