Lucene search
K

8 matches found

NVD
NVD
added 2 days ago3 views

CVE-2026-46672

Actual is a local-first personal finance app. Prior to 26.6.0, @actual-app/cli ships a hand-rolled CSV serializer in packages/cli/src/output.ts used whenever the global --format csv option is passed, whose escapeCsv helper only handles RFC 4180 delimiter, quote, and newline escaping and does not...

4.6CVSS0.00188EPSS
Exploits0References4
Cvelist
Cvelist
added 2 days ago31 views

CVE-2026-46672 Actual: CSV Formula Injection in `@actual-app/cli` `--format csv` Output via Custom `escapeCsv` Helper

Actual is a local-first personal finance app. Prior to 26.6.0, @actual-app/cli ships a hand-rolled CSV serializer in packages/cli/src/output.ts used whenever the global --format csv option is passed, whose escapeCsv helper only handles RFC 4180 delimiter, quote, and newline escaping and does not...

4.6CVSS0.00188EPSS
Exploits0References4
Snyk
Snyk
added 2026/06/22 9:42 p.m.5 views

CSV Injection

Overview Affected versions of this package are vulnerable to CSV Injection via the escapeCsv function, which fails to neutralize formula-triggering prefixes in user-controlled fields when exporting data to CSV format. An attacker can cause arbitrary formula execution or data exfiltration by...

4.6CVSS6.2AI score0.00188EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 6:58 p.m.32 views

CVE-2026-42890

CVE-2026-42890 affects the macOS desktop application Actual (version 25.x, Electron 39.2.7). The ELECTRON_RUN_AS_NODE fuse was not disabled, allowing a local attacker who can place a file on disk or influence command-line arguments to invoke Actual.app with ELECTRON_RUN_AS_NODE=1. This converts t...

4.8CVSS5.6AI score0.00126EPSS
Exploits0References2
OSV
OSV
added 2026/06/08 6:21 p.m.7 views

GHSA-7RVM-XJPP-63R9 actual Allows Electron to Run As Node

Summary A electron run as node vulnerability was identified in actual macOS application, version 25.x Electron 39.2.7. Vulnerability Type: Electron Run As Node Description ELECTRONRUNASNODE fuse enabled Electron 39.2.7 — app can be converted to Node.js REPL for arbitrary code execution Impact An...

4.8CVSS6AI score0.00126EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.14 views

PT-2026-47558

Summary A electron run as node vulnerability was identified in actual macOS application, version 25.x Electron 39.2.7. Vulnerability Type: Electron Run As Node Description ELECTRON RUN AS NODE fuse enabled Electron 39.2.7 — app can be converted to Node.js REPL for arbitrary code execution Impact ...

4.8CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.13 views

PT-2026-47599

Name of the Vulnerable Software and Affected Versions Actual versions prior to 26.5.0 Description In the macOS desktop application, the ELECTRON RUN AS NODE fuse is not disabled. This allows an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app...

4.8CVSS5.8AI score0.00126EPSS
Exploits0References5
Snyk
Snyk
added 2026/04/23 9:23 p.m.6 views

Missing Authorization

Overview @actual-app/sync-server is an actual syncing server Affected versions of this package are vulnerable to Missing Authorization via the change-password endpoint, which lacks proper authorization checks. An attacker can gain administrative privileges by overwriting the password hash for the...

8.8CVSS5.6AI score0.00472EPSS
Exploits1References3
Rows per page
Query Builder