Back to overview

CVE-2026-46672

MEDIUM
4.6
CVSS 3.1
Description
Actual is a local-first personal finance app. Prior to 26.6.0, @actual-app/cli ships a hand-rolled CSV serializer in packages/cli/src/output.ts used whenever the global --format csv option is passed, whose escapeCsv helper only handles RFC 4180 delimiter, quote, and newline escaping and does not neutralize standard CSV formula-injection prefixes. Any CLI command that streams an object array containing user-controlled strings, including transactions list, accounts list, payees list, categories list, tags list, category-groups list, rules list, schedules list, and query, can emit cells that auto-evaluate when the resulting CSV is opened in Excel, LibreOffice Calc, or Google Sheets, enabling data exfiltration and arbitrary formula execution. This issue is fixed in version 26.6.0.

Metadata

CVE ID
CVE-2026-46672
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-15 21:46 UTC
Published
2026-07-07 20:55 UTC
Last updated
2026-07-07 20:55 UTC
Primary CWE
CWE-1236
CWE-1236: Improper Neutralization of Formula Elements in a C…
Vendor / Product
actualbudget / actual
Sources
cve.org  ·  NVD

Severity & Metrics

4.6 MEDIUM CVSS 3.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Affected products (1)
VendorProductPlatformVersions
actualbudget actual < 26.6.0
Weakness (CWE)
CWESourceDescription
CWE-1236 cna CWE-1236: Improper Neutralization of Formula Elements in a CSV File
CVSS scores (1)
ScoreSeverityVersionSourceVector
4.6 MEDIUM 3.1 cna CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
References (4)
Back to overview