Remote Code Execution Vulnerability in Actual Personal Finance Application for macOS
CVE-2026-42890
4.8MEDIUM
What is CVE-2026-42890?
A vulnerability in the Actual personal finance application for macOS (version 25.x), built on Electron 39.2.7, allows an attacker to exploit the application due to the ELECTRON_RUN_AS_NODE feature not being disabled. By placing a file on disk or manipulating command-line arguments, an attacker can launch the Actual.app binary with the ELECTRON_RUN_AS_NODE=1 setting. This scenario enables a Node.js REPL instance that can execute arbitrary code while inheriting the application's entitlements and code signature, effectively bypassing macOS Gatekeeper restrictions. The issue has been addressed in version 26.5.0.
Affected Version(s)
actual < 26.5.0
