인사이트 · 약 6분 읽기

CSV injection and formula hijacking: what viewers should avoid executing

Cells beginning with =, +, -, @ can trigger spreadsheet formulas, awareness for security teams and CSV tooling.

게시 2025년 3월 21일 · Table

When CSV opens in Excel or Sheets, a cell like =cmd|... can be interpreted as a formula. Pure viewers that do not execute formulas reduce that class of risk compared to full spreadsheet apps.

Defenses

Strip or prefix risky leading characters in untrusted feeds.
Open unknown files in a sandboxed viewer first.
Train finance users on "enable content" prompts.

CSV injection and formula hijacking: what viewers should avoid executing

Defenses

Converters

Viewers & compare

Excel workflows

Learn & product

Color