{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-9673", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2026-05-27T05:35:32.761Z", "datePublished": "2026-05-28T05:00:02.387Z", "dateUpdated": "2026-05-28T13:10:59.627Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P"}, "cvssV4_0": {"version": "4.0", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}], "credits": [{"value": "Ilsaf Nabiullin", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1236", "description": "CSV Injection", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2026-05-28T05:00:02.387Z"}, "descriptions": [{"value": "Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-JSON2CSV-14221326"}, {"url": "https://github.com/mrodrig/json-2-csv/blob/main/src/json2csv.ts%23L410"}, {"url": "https://gist.github.com/whoamins/299745a2d36b482b44e9613b78e40613"}, {"url": "https://github.com/mrodrig/json-2-csv/commit/0fdd0bb6d0273178cd940afc323ccbce19688229"}], "affected": [{"product": "json-2-csv", "versions": [{"version": "3.15.0", "lessThan": "5.5.11", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1236", "lang": "en", "description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-28T13:10:36.794098Z", "id": "CVE-2026-9673", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-28T13:10:59.627Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-9673", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-28T13:10:36.794098Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1236", "description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-28T13:10:40.695Z"}}], "cna": {"credits": [{"lang": "en", "value": "Ilsaf Nabiullin"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "confidentialityImpact": "HIGH"}, "cvssV4_0": {"version": "4.0", "baseScore": 7, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "exploitMaturity": "PROOF_OF_CONCEPT", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "n/a", "product": "json-2-csv", "versions": [{"status": "affected", "version": "3.15.0", "lessThan": "5.5.11", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-JSON2CSV-14221326"}, {"url": "https://github.com/mrodrig/json-2-csv/blob/main/src/json2csv.ts%23L410"}, {"url": "https://gist.github.com/whoamins/299745a2d36b482b44e9613b78e40613"}, {"url": "https://github.com/mrodrig/json-2-csv/commit/0fdd0bb6d0273178cd940afc323ccbce19688229"}], "descriptions": [{"lang": "en", "value": "Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1236", "description": "CSV Injection"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2026-05-28T05:00:02.387Z"}}}, "cveMetadata": {"cveId": "CVE-2026-9673", "state": "PUBLISHED", "dateUpdated": "2026-05-28T13:10:59.627Z", "dateReserved": "2026-05-27T05:35:32.761Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2026-05-28T05:00:02.387Z", "assignerShortName": "snyk"}, "dataVersion": "5.2"}

{"affected": [{"affectedData": [{"product": "json-2-csv", "vendor": "n/a", "versions": [{"lessThan": "5.5.11", "status": "affected", "version": "3.15.0", "versionType": "semver"}]}], "source": "report@snyk.io"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications."}], "id": "CVE-2026-9673", "lastModified": "2026-06-17T11:05:34.660", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 4.2, "source": "report@snyk.io", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "report@snyk.io", "type": "Secondary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-9673", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "role": "CISA Coordinator", "timestamp": "2026-05-28T13:10:36.794098Z", "version": "2.0.3"}}]}, "published": "2026-05-28T06:16:29.147", "references": [{"source": "report@snyk.io", "url": "https://gist.github.com/whoamins/299745a2d36b482b44e9613b78e40613"}, {"source": "report@snyk.io", "url": "https://github.com/mrodrig/json-2-csv/blob/main/src/json2csv.ts%23L410"}, {"source": "report@snyk.io", "url": "https://github.com/mrodrig/json-2-csv/commit/0fdd0bb6d0273178cd940afc323ccbce19688229"}, {"source": "report@snyk.io", "url": "https://security.snyk.io/vuln/SNYK-JS-JSON2CSV-14221326"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1236"}], "source": "report@snyk.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-1236"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "json-2-csv: json-2-csv: CSV Injection vulnerability allows arbitrary code execution via `preventCsvInjection` bypass.", "id": "2482486", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482486"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "status": "draft"}, "cwe": "CWE-1236", "details": ["Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.", "A flaw was found in json-2-csv. An attacker can bypass the `preventCsvInjection` option to inject malicious formulas into CSV (Comma Separated Values) files. When these manipulated CSV files are opened in spreadsheet applications, the injected formulas can execute, potentially leading to arbitrary code execution or information disclosure."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-9673", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Under investigation", "package_name": "ansible-automation-platform/bootc-automation-portal-rhel9", "product_name": "Self-service automation portal 2"}], "public_date": "2026-05-28T05:00:02Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-9673\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-9673\nhttps://gist.github.com/whoamins/299745a2d36b482b44e9613b78e40613\nhttps://github.com/mrodrig/json-2-csv/blob/main/src/json2csv.ts%23L410\nhttps://github.com/mrodrig/json-2-csv/commit/0fdd0bb6d0273178cd940afc323ccbce19688229\nhttps://security.snyk.io/vuln/SNYK-JS-JSON2CSV-14221326"], "statement": "This Moderate vulnerability in `json-2-csv` allows for CSV Injection due to a bypass in the `preventCsvInjection` option. While exploitation requires a user to open a specially crafted CSV file in a spreadsheet application, successful attacks could lead to arbitrary code execution or information disclosure. This affects Red Hat Developer Hub and Red Hat Ansible Automation Platform when processing untrusted data that is subsequently exported to CSV and opened by a user.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.15.0,5.5.11)"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}]}, "original": {"product": "json-2-csv", "source": "cna", "vendor": "n/a"}, "product": "json-2-csv", "vendor": "mrodrig"}], "created": "2026-05-28T07:30:11.299798+00:00", "title": "CSV Injection Vulnerability in json-2-csv Package via PreventCsvInjection Option", "updated": "2026-05-30T21:19:21.900574+00:00", "vendors": ["mrodrig", "mrodrig$PRODUCT$json-2-csv"]}