GHSA-xf4v-w5x5-pv79: Spree: CSV Formula Injection in Customer Export

June 4, 2026

CSV formula injection (also known as formula injection or CSV injection) affects customer export. User-controlled values customer names, email addresses, and shipping addresses. When an administrator opens a crafted Export in Microsoft Excel or LibreOffice Calc, formulas embedded in user data execute in the context of the administrator’s desktop, potentially exfiltrating data or executing OS commands via DDE (Dynamic Data Exchange).

References

github.com/advisories/GHSA-xf4v-w5x5-pv79
github.com/spree/spree/releases/tag/v5.2.8
github.com/spree/spree/releases/tag/v5.3.6
github.com/spree/spree/releases/tag/v5.4.3
github.com/spree/spree/security/advisories/GHSA-xf4v-w5x5-pv79

Code Behaviors & Features

Detect and mitigate GHSA-xf4v-w5x5-pv79 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →