CSV Formula Injection in CycloneDX Sunshine by CycloneDX
CVE-2025-52386

5.4MEDIUM

Key Information:

Vendor: CycloneDX
Status: Sunshine
Vendor: CVE Published:; 13 August 2025

What is CVE-2025-52386?

CycloneDX Sunshine version 0.9 is susceptible to a vulnerability that allows CSV formula injection through a specially crafted JSON file. This issue can be exploited by an attacker who crafts a malicious JSON file that, when processed by the application, could lead to arbitrary code execution within spreadsheet applications, potentially compromising sensitive data integrity. Users of CycloneDX Sunshine should ensure their systems are updated to mitigate this vulnerability immediately.

References

https://github.com/CycloneDX/Sunshine

https://github.com/VishalSreenivas/Formula-Injection-in-C...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Aug 13, 2025
Vulnerability Reserved
Jun 16, 2025

JSON