Description
ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Attackers can add malicious formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications.
Published: 2026-05-05
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ERPGo SaaS 3.9 contains a CSV injection flaw in the vendor creation form. An authenticated user can insert spreadsheet formula payloads such as =10+20+cmd|' /C calc'!A0 into the vendor name field. When the vendor list is exported to CSV and opened in a spreadsheet application, the injected formula is executed, potentially granting the attacker arbitrary code execution on the victim’s machine. While the exploit begins with authentication to the SaaS platform, the dangerous payload is triggered locally when the user opens the exported CSV.

Affected Systems

The vulnerability affects ERPGo SaaS version 3.9 distributed by Rajodiya. No additional affected versions are listed in the available data.

Risk and Exploitability

The CVSS base score of 8.7 reflects a high severity level, indicating considerable potential impact and a relatively high exploitation likelihood. The exploit requires an authenticated account and the ability to export vendor data, making it relatively straightforward for an attacker with user access. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to trigger the payload locally by opening the malicious CSV in a spreadsheet program, so the immediate threat is to users who open exported files. Because the flaw is directly injected into user-supplied data and relies on common spreadsheet processing, it is considered a classic CSV injection vector.

Generated by OpenCVE AI on May 5, 2026 at 12:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • If a patch or updated version of ERPGo SaaS has been released, upgrade immediately to the fixed release.
  • Restrict permissions so that only trusted administrators can create vendors or export vendor data, limiting the number of users who could inject malicious formulas.
  • Implement input validation that removes or escapes leading characters that start with '=', '+', '-', '@', or '0x' from the vendor name before exporting to CSV.
  • Proceed with caution when opening exported CSV files, and avoid opening files from untrusted sources or before checking the content for suspicious formulas.

Generated by OpenCVE AI on May 5, 2026 at 12:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 05 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Attackers can add malicious formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications.
Title ERPGo SaaS 3.9 CSV Injection via Vendor Creation
Weaknesses CWE-1236
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-05T12:35:52.491Z

Reserved: 2026-01-10T01:51:52.985Z

Link: CVE-2023-54348

cve-icon Vulnrichment

Updated: 2026-05-05T12:35:48.629Z

cve-icon NVD

Status : Received

Published: 2026-05-05T12:16:17.300

Modified: 2026-05-05T12:16:17.300

Link: CVE-2023-54348

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T13:00:07Z

Weaknesses