๐Ÿ” CVE Alert

CVE-2026-50179

MEDIUM 4.2

Actual: CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields

CVSS Score
4.2
EPSS Score
0.3%
EPSS Percentile
20th

Actual is a local-first personal finance tool. Prior to 26.6.0, exportToCSV and exportQueryToCSV in packages/loot-core/src/server/transactions/export/export-to-csv.ts pass user-controlled Payee, Notes, Account, and Category strings to csv-stringify with no cast callback and no formula-prefix neutralization. Strings that begin with equals sign, plus, minus, at sign, tab, or carriage return survive verbatim into the exported CSV, and when a recipient opens the file in Excel, LibreOffice Calc, or Google Sheets, the strings are interpreted as formulas, enabling transaction data exfiltration and attacker-chosen spreadsheet display values. This issue is fixed in version 26.6.0.

CWE CWE-1236
Vendor actualbudget
Product actual
Published Jul 7, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for actualbudget actual

Be the first to know when new medium vulnerabilities affecting actualbudget actual are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Affected Versions

actualbudget / actual
< 26.6.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/actualbudget/actual/security/advisories/GHSA-xqjm-27pc-rvwm github.com: https://github.com/actualbudget/actual/commit/068185751c03b42e726e3c60b718413d5f96c306 github.com: https://github.com/actualbudget/actual/releases/tag/v26.6.0