CVE-2026-9673

Published: Mag 28, 2026 Last Modified: Mag 28, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,5

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: none

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

MEDIUM 6,8

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: low

Availability: none

Description

AI Translation Available

Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.

1236

Improper Neutralization of Formula Elements in a CSV File

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality

Potential Impacts:

Read Application Data Execute Unauthorized Code Or Commands

Applicable Platforms

Technologies: Other

View CWE Details

https://gist.github.com/whoamins/299745a2d36b482b44e9613b78…

https://gist.github.com/whoamins/299745a2d36b482b44e9613b78e40613

https://github.com/mrodrig/json-2-csv/blob/main/src/json2cs…

https://github.com/mrodrig/json-2-csv/blob/main/src/json2csv.ts%23L410

https://github.com/mrodrig/json-2-csv/commit/0fdd0bb6d02731…

https://github.com/mrodrig/json-2-csv/commit/0fdd0bb6d0273178cd940afc323ccbce19…

https://security.snyk.io/vuln/SNYK-JS-JSON2CSV-14221326

https://security.snyk.io/vuln/SNYK-JS-JSON2CSV-14221326