๐Ÿ” CVE Alert

CVE-2026-46672

MEDIUM 4.6

Actual: CSV Formula Injection in `@actual-app/cli` `--format csv` Output via Custom `escapeCsv` Helper

CVSS Score
4.6
EPSS Score
0.0%
EPSS Percentile
0th

Actual is a local-first personal finance app. Prior to 26.6.0, @actual-app/cli ships a hand-rolled CSV serializer in packages/cli/src/output.ts used whenever the global --format csv option is passed, whose escapeCsv helper only handles RFC 4180 delimiter, quote, and newline escaping and does not neutralize standard CSV formula-injection prefixes. Any CLI command that streams an object array containing user-controlled strings, including transactions list, accounts list, payees list, categories list, tags list, category-groups list, rules list, schedules list, and query, can emit cells that auto-evaluate when the resulting CSV is opened in Excel, LibreOffice Calc, or Google Sheets, enabling data exfiltration and arbitrary formula execution. This issue is fixed in version 26.6.0.

CWE CWE-1236
Vendor actualbudget
Product actual
Published Jul 7, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for actualbudget actual

Be the first to know when new medium vulnerabilities affecting actualbudget actual are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Affected Versions

actualbudget / actual
< 26.6.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/actualbudget/actual/security/advisories/GHSA-7gh7-258j-4mpq github.com: https://github.com/actualbudget/actual/pull/7859 github.com: https://github.com/actualbudget/actual/commit/068185751c03b42e726e3c60b718413d5f96c306 github.com: https://github.com/actualbudget/actual/releases/tag/v26.6.0