CVE-2020-36941

CriticalPublic PoC

Published: 27 January 2026

Published

27 January 2026

Modified

24 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0007 21.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-36941 is a critical-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Guelfoweb Knockpy. Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 21.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the CVE by requiring remediation of the specific flaw in Knockpy 4.1.1 through patching to a version that sanitizes server headers in CSV reports.

SI-15 Information Output Filtering good match

prevent

Prevents CSV injection by filtering malicious spreadsheet formulas from CSV reports generated using untrusted server header data.

SI-10 Information Input Validation good match

prevent

Mitigates exploitation by validating server headers as inputs to ensure they do not contain executable formulas before inclusion in CSV outputs.

NVD Description

Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in…

spreadsheet applications.

Deeper analysisAI

CVE-2020-36941 is a CSV injection vulnerability affecting Knockpy version 4.1.1. The flaw arises from unfiltered server headers, enabling attackers to inject malicious spreadsheet formulas into CSV reports generated by the tool. This issue is classified under CWE-1236 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact exploitation.

The vulnerability can be exploited remotely by any unauthenticated attacker with network access and low complexity requirements. By manipulating server response headers, an attacker injects formulas that execute automatically when a victim opens the CSV report in spreadsheet applications, such as Microsoft Excel or LibreOffice Calc. Successful exploitation could compromise the victim's system through arbitrary code execution, data exfiltration, or other malicious actions embedded in the formulas.

Advisories and related resources, including the Knockpy GitHub repository (https://github.com/guelfoweb/knock), an Exploit-DB entry (https://www.exploit-db.com/exploits/49342), and a Vulncheck advisory (https://www.vulncheck.com/advisories/knockpy-csv-injection), provide details on the issue and potential mitigations, such as updating to a patched version or implementing input sanitization for headers.

Details

CWE(s): CWE-1236

Affected Products

guelfoweb

knockpy

4.1.1

CVEs Like This One

CVE-2024-55532Shared CWE-1236

CVE-2020-36962Shared CWE-1236

CVE-2025-50572Shared CWE-1236

CVE-2025-55745Shared CWE-1236

CVE-2023-51319Shared CWE-1236

CVE-2021-47901Shared CWE-1236

CVE-2025-67851Shared CWE-1236

CVE-2024-45084Shared CWE-1236

CVE-2025-56267Shared CWE-1236

CVE-2026-23873Shared CWE-1236

References

https://github.com/guelfoweb/knock
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/49342
Exploit, Third Party Advisory · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/knockpy-csv-injection
Third Party Advisory · disclosure@vulncheck.com
https://github.com/guelfoweb/knock
Product · 134c704f-9b21-4f2e-91b3-4a467353bcc0