CVE-2026-9673 | THREATINT

Description

Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.

PUBLISHED Reserved 2026-05-27 | Published 2026-05-28 | Updated 2026-05-28 | Assigner snyk

HIGH: 7.0CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

MEDIUM: 6.8CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P

Problem types

CSV Injection

Credits

Ilsaf Nabiullin

References

security.snyk.io/vuln/SNYK-JS-JSON2CSV-14221326

github.com/mrodrig/json-2-csv/blob/main/src/json2csv.ts#L410

gist.github.com/whoamins/299745a2d36b482b44e9613b78e40613

github.com/...ommit/0fdd0bb6d0273178cd940afc323ccbce19688229

cve.org (CVE-2026-9673)

nvd.nist.gov (CVE-2026-9673)

Download JSON