Remote Code Execution Vulnerability in Actual Personal Finance Application for macOS
CVE-2026-42890

4.8MEDIUM

Key Information:

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-42890?

A vulnerability in the Actual personal finance application for macOS (version 25.x), built on Electron 39.2.7, allows an attacker to exploit the application due to the ELECTRON_RUN_AS_NODE feature not being disabled. By placing a file on disk or manipulating command-line arguments, an attacker can launch the Actual.app binary with the ELECTRON_RUN_AS_NODE=1 setting. This scenario enables a Node.js REPL instance that can execute arbitrary code while inheriting the application's entitlements and code signature, effectively bypassing macOS Gatekeeper restrictions. The issue has been addressed in version 26.5.0.

Affected Version(s)

actual < 26.5.0

References

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.