CVE Catalog

CVE-2026-9673

MediumCVSS 6.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

6th percentile - higher than 6% of all known CVEs

Summary

A vulnerability in the json-2-csv library versions 3.15.0 through 5.5.10 allows CSV injection by bypassing the preventCsvInjection option. An attacker can inject malicious formulas into CSV files that execute when opened in spreadsheet applications.

Risk Assessment

The risk involves potential execution of malicious formulas in users' spreadsheets, which could lead to data theft, malware infection, or further propagation of the attack within the organization.

Recommendation

Immediately update the json-2-csv library to version 5.5.11 or later. If an update is not possible, manually validate and sanitize input data before generating CSV files.

Original NVD description (English source)

Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS