How is CVE-2026-9673 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network path to the service is required to inject the malicious payload. Authentication (not-required): No credentials or account privileges are needed to craft or supply a malicious input that triggers the CSV injection. Victim interaction (required): A victim must open the generated CSV file in a spreadsheet application for the injected formula to execute. Attack complexity (info): The exploit is reliable and condition-free once malicious input reaches the json-2-csv conversion path; no race conditions or specific memory layout is required.

What is the impact of CVE-2026-9673?

The attacker reads data accessible to the spreadsheet application at formula-execution time, including locally stored files or credentials exposed via spreadsheet functions. The attacker modifies or exfiltrates data by using spreadsheet formula capabilities such as external HTTP requests or file-read functions built into applications like Excel or LibreOffice Calc. Availability of the affected service itself is not impacted; the harm is confined to the spreadsheet application environment of whoever opens the file.

Back to search

HIGHCVE-2026-9673Published 2026-05-28Modified 2026-05-28CNA snyk

CVE-2026-9673: Versions of the package json-2-csv from 3

Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications.

HarborGuard Analysis

HarborGuard analysis

Synopsis

CSV Injection in the json-2-csv npm package (versions 3.15.0 through 5.5.11 exclusive) allows an attacker to bypass the preventCsvInjection option and embed malicious spreadsheet formulas into generated CSV output. The vulnerability is reached locally (no network access required) and requires no authentication or victim interaction to inject the payload, though a user must open the resulting CSV file in a spreadsheet application for the formula to execute. Successful exploitation lets the attacker run arbitrary spreadsheet formulas in the victim's spreadsheet application, enabling data exfiltration or unauthorized command execution within that application context. A patched-image rebuild at version 5.5.11 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-9673 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle json-2-csv directly or transitively.

Available

Triage

Triage is available using the CVSS v4.0 score of 7.0 (HIGH), weighted against each customer environment's compliance policy to prioritize findings and route alerts to the appropriate team inbox within the customer organization.

Available

Patch

A patched-image rebuild at json-2-csv 5.5.11 becomes available on HarborGuard for any image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard can execute the rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the service is required to inject the malicious payload.
AuthenticationNot required
No credentials or account privileges are needed to craft or supply a malicious input that triggers the CSV injection.
Victim interactionRequired
A victim must open the generated CSV file in a spreadsheet application for the injected formula to execute.
Attack complexityDetail
The exploit is reliable and condition-free once malicious input reaches the json-2-csv conversion path; no race conditions or specific memory layout is required.

Blast Radius

The attacker reads data accessible to the spreadsheet application at formula-execution time, including locally stored files or credentials exposed via spreadsheet functions.
The attacker modifies or exfiltrates data by using spreadsheet formula capabilities such as external HTTP requests or file-read functions built into applications like Excel or LibreOffice Calc.
Availability of the affected service itself is not impacted; the harm is confined to the spreadsheet application environment of whoever opens the file.

How HarborGuard Handles This

Available on HarborGuard: any image containing json-2-csv at a version between 3.15.0 and 5.5.11 is flagged automatically upon scan. A rebuild pinned to the fixed version 5.5.11 is available for affected images. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes regression tests against the updated image, and opens a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual sign-off, the triage finding is routed to the designated team inbox with CVSS context and remediation instructions attached. Until a rebuild is deployed, compensating controls include validating and sanitizing all user-supplied fields before they reach the json-2-csv conversion path, and distributing generated CSV files only over authenticated, access-controlled channels to reduce the population of users who could receive a malicious file.

See how HarborGuard automates this

CVSS v4.0: 7.0
Severity: HIGH
Fixed in: 5.5.11
Affected Products: 1

Fix available

5.5.11

Affected packages

n/a / json-2-csv
< 5.5.11 (from 3.15.0)

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available