PatchSiren

json-2-csv CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM json-2-csv CVE published 2026-05-28

CVE-2026-9673

A CSV injection vulnerability exists in the json-2-csv npm package versions 3.15.0 through 5.5.10. The `preventCsvInjection` option, intended to block formula injection attacks, can be bypassed. An attacker can embed malicious formulas into CSV output that execute when opened in spreadsheet applications such as Microsoft Excel or LibreOffice Calc. This represents a client-side code execution risk when vic [truncated]