Cyber Resilience

CVE-2020-36941

MediumPublic PoC

Published: 27 January 2026

Published
27 January 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0049 38.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2020-36941 is a medium-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Guelfoweb Knockpy. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 38.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2020-36941 is a CSV injection vulnerability affecting Knockpy version 4.1.1. The flaw arises from unfiltered server headers, enabling attackers to inject malicious spreadsheet formulas into CSV reports generated by the tool. This issue is classified under CWE-1236 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact exploitation.

The vulnerability can be exploited remotely by any unauthenticated attacker with network access and low complexity requirements. By manipulating server response headers, an attacker injects formulas that execute automatically when a victim opens the CSV report in spreadsheet applications, such as Microsoft Excel or LibreOffice Calc. Successful exploitation could compromise the victim's system through arbitrary code execution, data exfiltration, or other malicious actions embedded in the formulas.

Advisories and related resources, including the Knockpy GitHub repository (https://github.com/guelfoweb/knock), an Exploit-DB entry (https://www.exploit-db.com/exploits/49342), and a Vulncheck advisory (https://www.vulncheck.com/advisories/knockpy-csv-injection), provide details on the issue and potential mitigations, such as updating to a patched version or implementing input sanitization for headers.

EU & UK References

Vulnerability details

Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in…

more

spreadsheet applications.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
Why these techniques?

CSV injection enables malicious formula delivery in generated reports (T1204.002 Malicious File); formulas execute OS commands on open (T1059.003 Windows Command Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2021-47901Shared CWE-1236
CVE-2023-51336Shared CWE-1236
CVE-2023-54348Shared CWE-1236
CVE-2025-67851Shared CWE-1236
CVE-2023-51333Shared CWE-1236
CVE-2025-50572Shared CWE-1236
CVE-2026-23873Shared CWE-1236
CVE-2023-51311Shared CWE-1236
CVE-2025-56267Shared CWE-1236
CVE-2023-51319Shared CWE-1236

Affected Assets

guelfoweb
knockpy
4.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring remediation of the specific flaw in Knockpy 4.1.1 through patching to a version that sanitizes server headers in CSV reports.

prevent

Prevents CSV injection by filtering malicious spreadsheet formulas from CSV reports generated using untrusted server header data.

prevent

Mitigates exploitation by validating server headers as inputs to ensure they do not contain executable formulas before inclusion in CSV outputs.

References