Description
ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to inject spreadsheet formulas into vendor name fields that execute on the workstation of users who open the exported CSV in a spreadsheet application. Attackers can add malicious formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications.
Published: 2026-05-05
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ERPGo SaaS 3.9 contains a CSV injection flaw that allows authenticated users to insert spreadsheet formulas directly into the vendor name field. When a vendor list is exported to CSV and opened in a spreadsheet application, the embedded formula executes on the victim’s workstation. Sample payloads such as =10+20+cmd|' /C calc'!A0 demonstrate that the injection can trigger arbitrary code execution.

Affected Systems

The flaw is present in ERPGo SaaS version 3.9 as distributed by Rajodiya. No other affected versions are documented in the available data, and Rajodiya is the sole vendor identified.

Risk and Exploitability

The CVSS base score of 8.7 indicates high severity, but the EPSS score of less than 1% reflects a very low probability of exploitation, and the vulnerability is not catalogued in the CISA KEV list. Exploitation requires an authenticated account that can create vendors and export the data, and it depends on a victim who opens the malicious CSV in a spreadsheet program. It is inferred that the attacker must rely on a target opening the exported file for execution, so the immediate threat is limited to users who handle exported CSVs from the application.

Generated by OpenCVE AI on May 26, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of ERPGo SaaS when the vendor releases it.
  • Restrict vendor creation and CSV export functions to trusted administrators to reduce injection opportunities.
  • Implement input validation to strip or escape leading characters '=', '+', '-', '@', or '0x' in vendor names before exporting to CSV.
  • Instruct users to avoid opening CSV files from untrusted or unknown sources.

Generated by OpenCVE AI on May 26, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 00:00:00 +0000

Type Values Removed Values Added
Description ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Attackers can add malicious formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications. ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to inject spreadsheet formulas into vendor name fields that execute on the workstation of users who open the exported CSV in a spreadsheet application. Attackers can add malicious formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications.

Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Rajodiya
Rajodiya erpgo Saas
Vendors & Products Rajodiya
Rajodiya erpgo Saas

Tue, 05 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 05 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Attackers can add malicious formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications.
Title ERPGo SaaS 3.9 CSV Injection via Vendor Creation
Weaknesses CWE-1236
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Rajodiya Erpgo Saas
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T23:41:23.539Z

Reserved: 2026-01-10T01:51:52.985Z

Link: CVE-2023-54348

cve-icon Vulnrichment

Updated: 2026-05-05T12:35:48.629Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-05T12:16:17.300

Modified: 2026-05-05T19:50:11.910

Link: CVE-2023-54348

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T02:30:26Z

Weaknesses