Back to overview

CVE-2026-50179

MEDIUM
4.2
CVSS 3.1
Description
Actual is a local-first personal finance tool. Prior to 26.6.0, exportToCSV and exportQueryToCSV in packages/loot-core/src/server/transactions/export/export-to-csv.ts pass user-controlled Payee, Notes, Account, and Category strings to csv-stringify with no cast callback and no formula-prefix neutralization. Strings that begin with equals sign, plus, minus, at sign, tab, or carriage return survive verbatim into the exported CSV, and when a recipient opens the file in Excel, LibreOffice Calc, or Google Sheets, the strings are interpreted as formulas, enabling transaction data exfiltration and attacker-chosen spreadsheet display values. This issue is fixed in version 26.6.0.

Metadata

CVE ID
CVE-2026-50179
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-03 22:05 UTC
Published
2026-07-07 20:58 UTC
Last updated
2026-07-07 20:58 UTC
Primary CWE
CWE-1236
CWE-1236: Improper Neutralization of Formula Elements in a C…
Vendor / Product
actualbudget / actual
Sources
cve.org  ·  NVD

Severity & Metrics

4.2 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected products (1)
VendorProductPlatformVersions
actualbudget actual < 26.6.0
Weakness (CWE)
CWESourceDescription
CWE-1236 cna CWE-1236: Improper Neutralization of Formula Elements in a CSV File
CVSS scores (1)
ScoreSeverityVersionSourceVector
4.2 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
References (3)
Back to overview