2 matches found
CVE-2026-46672
Actual is a local-first personal finance app. Prior to 26.6.0, @actual-app/cli ships a hand-rolled CSV serializer in packages/cli/src/output.ts used whenever the global --format csv option is passed, whose escapeCsv helper only handles RFC 4180 delimiter, quote, and newline escaping and does not...
CVE-2026-46672
creationtimestamp| type| source ---|---|--- 2026-06-12 20:16:24+00:00| published-proof-of-concept| https://github.com/actualbudget/actual/security/advisories/GHSA-7gh7-258j-4mpq...