CVE-2026-42890
actual Allows Electron to Run As Node
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
13th
Actual is an open-source personal finance application. In the macOS desktop application version 25.x (built on Electron 39.2.7), the ELECTRON_RUN_AS_NODE fuse is not disabled, allowing an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app binary with the ELECTRON_RUN_AS_NODE=1 environment variable set. This converts the application into a Node.js REPL capable of executing arbitrary code that inherits the application's entitlements and code signature, bypassing macOS Gatekeeper review. Version 26.5.0 patches the issue.
| CWE | CWE-94 |
| Vendor | actualbudget |
| Product | actual |
| Published | Jun 12, 2026 |
| Last Updated | Jun 12, 2026 |
Stay Ahead of the Next One
Get instant alerts for actualbudget actual
Be the first to know when new unknown vulnerabilities affecting actualbudget actual are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
actualbudget / actual
< 26.5.0