js · @actual-app/cliHeads-up
@actual-app/cli CSV serializer vulnerable to formula injection
The CSV serializer in packages/cli/src/output.
What changed
The CSV serializer in packages/cli/src/output.ts does not escape formula-trigger prefixes (=, +, -, @, \t, \r), enabling spreadsheet formula execution when the CSV is opened in Excel, LibreOffice Calc, or Google Sheets.
Who it affects
Users of @actual-app/cli who export data to CSV using --format csv and open the file in a spreadsheet program.
What to do today
Apply the recommended fix to neutralize formula-trigger prefixes in escapeCsv by prepending a single quote to values starting with =, +, -, @, \t, or \r.
The trail
Collected→
Audited→
Written→
Published