CVE-2026-50179 in Actualinfo

Summary

by MITRE • 07/08/2026

Actual is a local-first personal finance tool. Prior to 26.6.0, exportToCSV and exportQueryToCSV in packages/loot-core/src/server/transactions/export/export-to-csv.ts pass user-controlled Payee, Notes, Account, and Category strings to csv-stringify with no cast callback and no formula-prefix neutralization. Strings that begin with equals sign, plus, minus, at sign, tab, or carriage return survive verbatim into the exported CSV, and when a recipient opens the file in Excel, LibreOffice Calc, or Google Sheets, the strings are interpreted as formulas, enabling transaction data exfiltration and attacker-chosen spreadsheet display values. This issue is fixed in version 26.6.0.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/08/2026

This vulnerability affects Actual, a local-first personal finance tool that allows users to manage their financial transactions and accounts. The security flaw exists in the export functionality of the application's backend code, specifically within the transaction export module. Prior to version 26.6.0, the system fails to properly sanitize user-controlled data before exporting it to CSV format, creating a significant vector for formula injection attacks that can compromise both data integrity and user privacy.

The technical implementation flaw resides in the csv-stringify library usage within the export-to-csv.ts file where user inputs such as Payee, Notes, Account, and Category fields are directly passed to the CSV generation process without proper sanitization. These fields contain no cast callback configuration and lack formula-prefix neutralization mechanisms that would prevent malicious strings from being interpreted as spreadsheet formulas during import. When a user exports their transaction data, any string value starting with special characters including equals sign, plus, minus, at sign, tab, or carriage return is preserved verbatim in the exported file.

The operational impact of this vulnerability is severe and directly relates to the principle of least privilege as outlined in the CWE-15 category, where insufficient input validation allows arbitrary code execution through spreadsheet formula interpretation. When recipients open the compromised CSV files in Microsoft Excel, LibreOffice Calc, or Google Sheets, these applications automatically interpret the malicious strings as formulas rather than plain text data. This enables attackers to craft transaction entries that contain spreadsheet formulas designed to exfiltrate sensitive information from the victim's system or display attacker-controlled content within the financial records.

The vulnerability demonstrates characteristics consistent with CWE-74 and CWE-150, representing a classic case of improper neutralization of special elements used in formulae within spreadsheet applications. Attackers can exploit this by creating malicious entries that contain formulas such as =cmd|'calc' or similar commands that could execute arbitrary code when the spreadsheet opens. The issue is particularly dangerous because it leverages legitimate application functionality to enable data exfiltration rather than requiring traditional exploitation vectors, making detection more challenging.

This vulnerability aligns with several ATT&CK techniques including T1059.001 (Command and Scripting Interpreter: PowerShell) and T1566.001 (Social Engineering: Spearphishing Attachment) where attackers could craft malicious financial entries that when imported into spreadsheets execute unintended commands. The attack surface is broad as it affects any user who exports transaction data, particularly in environments where shared financial documents are common or when users share exported files with others. The fix implemented in version 26.6.0 addresses this by ensuring proper sanitization of user inputs before CSV export, neutralizing formula prefixes and implementing appropriate cast callbacks to prevent malicious strings from being interpreted as spreadsheet formulas.

Organizations using Actual should immediately update to version 26.6.0 or later to remediate this vulnerability, while also implementing additional safeguards such as regular review of exported data for suspicious entries and user education about the risks of opening untrusted CSV files in spreadsheet applications. The vulnerability highlights the importance of input validation and output encoding, particularly when dealing with data that will be consumed by external applications with different interpretation rules than the originating system.

Responsible

GitHub M

Reservation

06/04/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!