CVE Vulnerabilities

CVE-2026-9673

Improper Neutralization of Formula Elements in a CSV File

Published: May 28, 2026 | Modified: Jul 03, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
6.1 MODERATE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Ubuntu
root.io logo minimus.io logo echo.ai logo

Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.

Weakness

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

Affected Software

NameVendorStart VersionEnd Version
Red Hat Developer Hub 1.10RedHatrhdh/rhdh-hub-rhel9:1783448184*
Red Hat Developer Hub 1.9RedHatrhdh/rhdh-hub-rhel9:1782761244*

Potential Mitigations

References