Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-46672: CWE-1236: Improper Neutralization of Formula Elements in a CSV File in actualbudget actual

0
Medium
VulnerabilityCVE-2026-46672cvecve-2026-46672cwe-1236
Published: 07/07/2026 (07/07/2026, 20:55:02 UTC)
Source: CVE Database V5
Vendor/Project: actualbudget
Product: actual

Description

Actualbudget's Actual app versions prior to 26.6.0 contain a CSV injection vulnerability in its CLI CSV serializer. The escapeCsv helper does not neutralize formula-injection prefixes, allowing user-controlled strings in CSV exports to auto-evaluate as formulas in spreadsheet applications. This can lead to data exfiltration and arbitrary formula execution when CSV files are opened in Excel, LibreOffice Calc, or Google Sheets. The issue is fixed in version 26.6.0.

CVSS v3.1

Score 4.6medium

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Affected software

GitHub Actionsmore threats →ai
actualbudget/actual
pkg:github/actualbudget/actual
Affected versions
<26.6.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/07/2026, 21:13:52 UTC

Technical Analysis

The Actual app (actualbudget) before version 26.6.0 uses a custom CSV serializer in its CLI that inadequately escapes CSV content. Specifically, the escapeCsv helper only handles RFC 4180 delimiter, quote, and newline escaping but fails to neutralize formula-injection prefixes that spreadsheet software interprets as executable formulas. This vulnerability affects any CLI command that outputs user-controlled strings in CSV format, such as transactions, accounts, payees, categories, tags, category-groups, rules, schedules, and queries. Opening such CSV files in common spreadsheet applications can trigger formula execution, enabling potential data exfiltration or arbitrary formula execution. The vulnerability is addressed in version 26.6.0.

Potential Impact

An attacker can craft CSV files containing malicious formulas that execute automatically when opened in spreadsheet software, potentially leading to data exfiltration or arbitrary code execution within the spreadsheet context. The vulnerability requires local or limited privileges (AV:L, PR:L) and user interaction (UI:R) to open the malicious CSV file. The impact includes confidentiality and integrity loss but no availability impact. The CVSS score is 4.6 (medium severity).

Mitigation Recommendations

Upgrade the Actual app to version 26.6.0 or later, where the CSV injection vulnerability is fixed by properly neutralizing formula prefixes in CSV exports. Until upgrading, avoid opening CSV files generated by vulnerable versions in spreadsheet applications or sanitize CSV content manually to neutralize formula injection vectors.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
GitHub_M
Date Reserved
2026-05-15T21:46:51.547Z
Cvss Version
3.1
State
PUBLISHED
Remediation Level
null

Threat ID: 6a4d6893c9d9e3dbe3d54561

Added to database: 07/07/2026, 20:58:59 UTC

Last enriched: 07/07/2026, 21:13:52 UTC

Last updated: 07/07/2026, 21:50:25 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses