CVE-2025-5238613.08.2025, 14:15CycloneDX Sunshine v0.9 is vulnerable to CSV Formula Injection via a crafted JSON fileEnginsightProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVectorNISTNIST5.4 MEDIUMNETWORKLOWNONECVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NmitreCNA------CISA-ADPADP5.4 MEDIUMNETWORKLOWNONECVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NBase ScoreCVSS 3.xEPSS ScorePercentile: 16%Common Weakness EnumerationCWE-1236 - Improper Neutralization of Formula Elements in a CSV FileThe software saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by spreadsheet software.Referenceshttps://github.com/CycloneDX/Sunshinehttps://github.com/VishalSreenivas/Formula-Injection-in-CycloneDX-Sunshine/blob/main/CVE-2025-52386.mdhttps://github.com/VishalSreenivas/Formula-Injection-in-CycloneDX-Sunshine/blob/main/payload.json