Local-First Personal Finance Tool Vulnerability in Actual by Actual Budget
CVE-2026-50179
What is CVE-2026-50179?
The Actual personal finance tool is susceptible to a CSV injection vulnerability due to improper handling of user-controlled input in its exportToCSV and exportQueryToCSV functions. Versions prior to 26.6.0 fail to neutralize certain formula prefixes, such as equals signs and other characters, leading to the potential for transaction data exfiltration. When users export data as CSV, maliciously crafted inputs can be interpreted as formulas by spreadsheet applications like Excel, LibreOffice Calc, and Google Sheets. As a result, attackers can manipulate the display values in the recipient's spreadsheet, compromising the integrity of exported financial data. The vulnerability has been addressed in version 26.6.0, which now includes necessary safety measures to prevent this issue.
Affected Version(s)
actual < 26.6.0
