AIKIDO-2026-10378
passbolt-browser-extension is vulnerable to CSV Injection
32
Low Risk
This Affects:
passbolt-browser-extensionTL;DR
CSV export was enabled by default and produced files that could contain formula-injectable content. When a user opens such a CSV in spreadsheet software (e.g. Excel), leading equals signs or other formula prefixes in exported cells can be interpreted as expressions, enabling CSV (formula) injection and potentially code execution or data exfiltration in the spreadsheet context. Additionally, exporting credentials to plaintext CSV increases exposure if the file is mishandled. The fix disables CSV export by default and gates it behind a server configuration; when enabled, a confirmation step warns users. Content Security Policy enforcement was also extended to reduce the attack surface.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
passbolt-browser-extension is vulnerable to CSV Injection in versions 5.0.0 - 5.9.0.
How to fix this
Upgrade the passbolt-browser-extension library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant