SecuriTricks - CVE-2026-9673

Description

Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.

Product(s) Impacted

Vendor	Product	Versions
Json-2-csv	Json-2-csv	3.15.0-5.5.11

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	json-2-csv	json-2-csv	3.15.0-5.5.11	/	/	/	/	/	/	/

References

https://gist.github.com/whoamins/299745a2d36b482b44e9613b78e40613

https://github.com/mrodrig/json-2-csv/blob/main/src/json2csv.ts%23L410

https://github.com/mrodrig/json-2-csv/commit/0fdd0bb6d0273178cd940afc323ccbce19688229

https://security.snyk.io/vuln/SNYK-JS-JSON2CSV-14221326

CVSS Score

5.5 / 10

CVSS Data - 4.0

Attack Vector: LOCAL
Attack Complexity: LOW
Attack Requirements: NONE
Privileges Required: NONE
User Interaction: NONE
Scope:
Confidentiality Impact: HIGH
Integrity Impact: LOW
Availability Impact: NONE
Exploit Maturity: PROOF_OF_CONCEPT

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: May 28, 2026, 6:16 a.m.
Last Modified: May 29, 2026, 2:47 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-9673