Lucene search
K

4 matches found

Cvelist
Cvelist
added 6 days ago25 views

CVE-2026-50179 Actual: CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields

Actual is a local-first personal finance tool. Prior to 26.6.0, exportToCSV and exportQueryToCSV in packages/loot-core/src/server/transactions/export/export-to-csv.ts pass user-controlled Payee, Notes, Account, and Category strings to csv-stringify with no cast callback and no formula-prefix...

4.2CVSS0.00286EPSS
Exploits0References3
CVE
CVE
added 6 days ago14 views

CVE-2026-50179

CVE-2026-50179 affects Actual Budget prior to version 26.6.0 where exportToCSV/exportQueryToCSV passed user-controlled Payee/Notes/Account/Category strings to csv-stringify without a cast callback, allowing formula prefixes (e.g., =, +, -, @, tab, CR) to survive in CSV cells. When opened in Excel...

4.2CVSS6AI score0.00286EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/22 11:48 p.m.5 views

@actual-app/web has CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields

Summary exportToCSV and exportQueryToCSV in packages/loot-core/src/server/transactions/export/export-to-csv.ts pass user-controlled Payee, Notes, Account, and Category strings to csv-stringify with no cast callback and no formula-prefix neutralization. Strings that begin with =, +, -, @, tab, or...

4.2CVSS5.9AI score0.00286EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2023/07/12 12:0 a.m.8 views

WordPress Plugin WP EasyPay – Square for WordPress 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. WordPress Plugin WP EasyPay...

4.3CVSS5AI score0.00351EPSS
Exploits0References11
Rows per page
Query Builder