{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/csv-injection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2023-54348"}],"_cs_exploited":false,"_cs_products":["ERPGo SaaS 3.9"],"_cs_severities":["high"],"_cs_tags":["csv-injection","code-execution","web-application"],"_cs_type":"advisory","_cs_vendors":["ERPGo"],"content_html":"\u003cp\u003eERPGo SaaS 3.9 is susceptible to a CSV injection vulnerability that allows authenticated attackers to inject arbitrary code. The vulnerability stems from the insufficient sanitization of input provided in the vendor name field during vendor creation. By injecting malicious formulas, such as \u003ccode\u003e=10+20+cmd|' /C calc'!A0\u003c/code\u003e, attackers can achieve arbitrary code execution when a user opens the exported CSV file in a spreadsheet application. This vulnerability poses a significant risk to organizations using ERPGo SaaS 3.9, as it could lead to unauthorized access, data compromise, and further exploitation of the system. The vulnerability was reported on May 5, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the ERPGo SaaS 3.9 application.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the vendor creation form.\u003c/li\u003e\n\u003cli\u003eIn the \u0026ldquo;vendor name\u0026rdquo; field, the attacker injects a malicious CSV formula, such as \u003ccode\u003e=10+20+cmd|' /C calc'!A0\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the form, creating a new vendor entry with the malicious payload.\u003c/li\u003e\n\u003cli\u003eAn authorized user exports vendor data to a CSV file.\u003c/li\u003e\n\u003cli\u003eThe user opens the exported CSV file using a spreadsheet application like Microsoft Excel or LibreOffice Calc.\u003c/li\u003e\n\u003cli\u003eThe spreadsheet application interprets and executes the injected formula.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the user\u0026rsquo;s system, potentially leading to further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this CSV injection vulnerability allows an attacker to execute arbitrary code on the system of the user opening the exported CSV file. This could lead to the installation of malware, data exfiltration, or further compromise of the internal network. Given the widespread use of spreadsheet applications, a single successful injection could affect multiple users and systems. The potential for data compromise and system takeover makes this a high-severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CSV Injection via Formula in Process Creation\u003c/code\u003e to your SIEM to identify potential exploitation attempts based on spawned processes (process_creation logs).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CSV Injection via Formula in File Content\u003c/code\u003e to your SIEM to identify potentially crafted CSV files based on file content analysis (file_event logs).\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of ERPGo SaaS that addresses this vulnerability; consult the vendor\u0026rsquo;s security advisories for updates.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening CSV files from untrusted sources and the potential for CSV injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T12:16:17Z","date_published":"2026-05-05T12:16:17Z","id":"/briefs/2026-05-erpgo-csv-injection/","summary":"ERPGo SaaS version 3.9 is vulnerable to CSV injection, allowing authenticated attackers to execute arbitrary code by injecting malicious formulas into the vendor name field during vendor creation, which are then executed when the exported CSV file is opened in a spreadsheet application.","title":"ERPGo SaaS 3.9 CSV Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-erpgo-csv-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Csv-Injection","version":"https://jsonfeed.org/version/1.1"}