Local-First Personal Finance App Vulnerability in Actual by Actual Budget
CVE-2026-46672

4.6MEDIUM

Key Information:

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-46672?

Prior to version 26.6.0, Actual, a local-first personal finance application, was susceptible to a CSV injection vulnerability due to its custom CSV serializer. This vulnerability arose when using the global --format csv option, allowing user-controlled strings from various object arrays (like transactions and accounts) to trigger formula execution when the CSV file was opened in spreadsheet applications like Excel, LibreOffice Calc, or Google Sheets. This could result in unauthorized data access and manipulation. The issue has been resolved in version 26.6.0.

Affected Version(s)

actual < 26.6.0

References

CVSS V3.1

Score:
4.6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.