CVE-2026-9673

MEDIUM

json-2-csv < 5.5.11 - Improper Neutralization of Formula Elements in a CSV File

Title source: rule

Description

Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.

References (4)

Core 4

Core References

https://github.com/mrodrig/json-2-csv/blob/main/src/json2csv.ts%23L410

https://gist.github.com/whoamins/299745a2d36b482b44e9613b78e40613

https://github.com/mrodrig/json-2-csv/commit/0fdd0bb6d0273178cd940afc323ccbce19688229

View Patch ZIP pw:eip

https://security.snyk.io/vuln/SNYK-JS-JSON2CSV-14221326

Scores

CVSS v3 6.8

EPSS 0.0017

EPSS Percentile 6.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1236

Status published

Products (1)

None/json-2-csv 3.15.0 - 5.5.11

Published May 28, 2026

Tracked Since May 28, 2026