Local-First Personal Finance App Vulnerability in Actual by Actual Budget
CVE-2026-46672
4.6MEDIUM
What is CVE-2026-46672?
Prior to version 26.6.0, Actual, a local-first personal finance application, was susceptible to a CSV injection vulnerability due to its custom CSV serializer. This vulnerability arose when using the global --format csv option, allowing user-controlled strings from various object arrays (like transactions and accounts) to trigger formula execution when the CSV file was opened in spreadsheet applications like Excel, LibreOffice Calc, or Google Sheets. This could result in unauthorized data access and manipulation. The issue has been resolved in version 26.6.0.
Affected Version(s)
actual < 26.6.0
