CSV Formula Injection in Stirling-PDF v1.3.2: when converting PDF content to CSV the application does not neutralize cell values that begin with characters treated as formulas by spreadsheet software (for example =, +, -, @). A malicious PDF (or PDF containing attacker-controlled metadata) can inject spreadsheet formulas into exported CSVs; when a user opens that CSV in Excel/LibreOffice the formula is evaluated in the user’s spreadsheet context.
Prepare a crafted CSV file, then export it to pdf.
Navigate to "PDF to CSV" function, upload the exported pdf.
Extract it.
Open the downloaded file.
Formula triggered.