CSV Formula Injection Enables Code Execution in Pizzy Library

CVE-2026-5242 is a code injection vulnerability in MIA Technology Inc.'s Pizzy Library (versions 1.0.0.26250 through 1.3.8.26250) that stems from improper neutralization of formula elements in CSV files. When untrusted data containing formula syntax is processed without sanitization, attackers can inject malicious formulas that execute arbitrary code when the CSV is opened in spreadsheet applications. This vulnerability is particularly dangerous for organizations that generate or process CSV reports programmatically, as it bypasses user trust in file formats typically considered safe. Any system using the affected Pizzy Library versions to create, parse, or export CSV data is at risk, especially if those files are distributed to end users or consumed by other applications.

Practitioners using Casky.ai would detect this attack pattern through the platform's mapping to MITRE ATT&CK technique T1059.003 (Command Line Interface), which captures code execution through formula injection vectors. When analyzing CSV file generation and processing workflows, Casky's extended reasoning capabilities would flag unsafe formula handling patterns and identify where untrusted input flows into spreadsheet exports without proper escaping or neutralization. Security teams would see findings highlighting the specific code paths where formula prefixes (=, +, -, @) aren't being stripped or escaped before CSV output, along with recommendations to upgrade to Pizzy Library 1.3.9.26250 or later and implement input validation controls that prevent formula injection regardless of library versions.