CVE-2022-21241

CRITICAL

CSV+ < 0.8.1 - Unauthenticated Cross-Site Scripting via Crafted CSV File with HTML a Tag

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-21241. PoCs published by satoki, nanaao.

AI-analyzed exploit summary This PoC demonstrates a 2-click arbitrary code execution vulnerability in CSV+ <= 0.8.0 via HTML injection and Node.js functionality. The attack involves a malicious CSV file with an HTML link that, when clicked, executes arbitrary code via a malicious HTML file.

Description

Cross-site scripting vulnerability in CSV+ prior to 0.8.1 allows a remote unauthenticated attacker to inject an arbitrary script or an arbitrary OS command via a specially crafted CSV file that contains HTML a tag.

Exploits (2)

nomisec WORKING POC 24 stars
by satoki · poc
https://github.com/satoki/csv-plus_vulnerability

This PoC demonstrates a 2-click arbitrary code execution vulnerability in CSV+ <= 0.8.0 via HTML injection and Node.js functionality. The attack involves a malicious CSV file with an HTML link that, when clicked, executes arbitrary code via a malicious HTML file.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: CSV+ <= 0.8.0
No auth needed
Prerequisites: Victim must open the malicious CSV file in CSV+ · Victim must click the malicious link
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by nanaao · poc
https://github.com/nanaao/csv-plus_vulnerability

This repository demonstrates a 2-click arbitrary code execution vulnerability in CSV+ <= 0.8.0 via HTML injection and Node.js functionality. The PoC includes a malicious CSV file and HTML payload that executes arbitrary commands (e.g., 'calc') when clicked.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: CSV+ <= 0.8.0
No auth needed
Prerequisites: Victim must open the malicious CSV file and click the embedded link
devstral-2 · analyzed May 30, 2026 Full analysis →

References (2)

Core 2
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/plusone-masaki/csv-plus/releases/tag/v0.8.1
Third Party Advisory x_refsource_misc
https://jvn.jp/en/jp/JVN67396225/index.html

Scores

CVSS v3 9.6
EPSS 0.0312
EPSS Percentile 86.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Details

CWE
CWE-79
Status published
Products (1)
csv\+_project/csv\+ < 0.8.1
Published Feb 08, 2022
Tracked Since Feb 18, 2026