CVE-2026-46672 in Actual
Summary
by MITRE • 07/08/2026
Actual is a local-first personal finance app. Prior to 26.6.0, @actual-app/cli ships a hand-rolled CSV serializer in packages/cli/src/output.ts used whenever the global --format csv option is passed, whose escapeCsv helper only handles RFC 4180 delimiter, quote, and newline escaping and does not neutralize standard CSV formula-injection prefixes. Any CLI command that streams an object array containing user-controlled strings, including transactions list, accounts list, payees list, categories list, tags list, category-groups list, rules list, schedules list, and query, can emit cells that auto-evaluate when the resulting CSV is opened in Excel, LibreOffice Calc, or Google Sheets, enabling data exfiltration and arbitrary formula execution. This issue is fixed in version 26.6.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
The vulnerability resides in the actual-app/cli package where a custom CSV serializer implementation was introduced to handle the global --format csv option. This hand-rolled approach in packages/cli/src/output.ts contains a critical flaw in its escapeCsv helper function that only implements basic RFC 4180 compliance for delimiter, quote, and newline escaping but fails to address the more sophisticated CSV formula injection vulnerabilities. The vulnerability affects numerous CLI commands that process object arrays containing user-controlled data including transactions, accounts, payees, categories, tags, category groups, rules, and schedules lists. When these commands generate CSV output, any user-provided strings that contain formula prefixes such as =, +, -, or can be interpreted by spreadsheet applications as executable formulas rather than literal text values.
The security implications of this vulnerability are severe as it enables arbitrary code execution through spreadsheet formula injection attacks. When users open the generated CSV files in popular spreadsheet applications like Microsoft Excel, LibreOffice Calc, or Google Sheets, cells containing malicious formulas will automatically execute upon file opening or cell activation. This creates a vector for data exfiltration where attackers can craft malicious inputs that, when processed by the CLI and opened in spreadsheets, can extract sensitive information from the system or perform unauthorized operations. The flaw allows attackers to inject formulas that can reference external resources, make network requests, or execute system commands depending on the target environment and spreadsheet application capabilities.
This vulnerability aligns with CWE-15 (External Control of System or Configuration Setting) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) classifications as it involves improper handling of user-controlled data that flows into downstream CSV processing components. The attack pattern follows ATT&CK technique T1059.006 (Command and Scripting Interpreter: Python) or similar execution techniques where spreadsheet applications execute formulas, enabling lateral movement or privilege escalation. The impact extends beyond simple information disclosure as the attack surface includes any user-controllable input that gets serialized to CSV format, making it a critical vulnerability for applications handling personal financial data.
The fix implemented in version 26.6.0 addresses the core issue by properly neutralizing CSV formula injection prefixes through comprehensive escaping of special characters that could trigger formula execution. This includes ensuring that strings beginning with =, +, -, or @ are properly escaped or quoted to prevent interpretation as spreadsheet formulas. Organizations using actual personal finance applications should immediately upgrade to version 26.6.0 or later and consider implementing additional mitigations such as validating and sanitizing all user inputs before processing, implementing proper CSV output validation, and educating users about the risks of opening untrusted CSV files in spreadsheet applications. The vulnerability demonstrates the importance of using well-tested libraries for data serialization rather than hand-rolled implementations, particularly when dealing with potentially malicious user inputs in financial applications where data integrity and security are paramount.