CVE-2026-46672: CWE-1236: Improper Neutralization of Formula Elements in a CSV File in actualbudget actual
Actualbudget's Actual app versions prior to 26.6.0 contain a CSV injection vulnerability in its CLI CSV serializer. The escapeCsv helper does not neutralize formula-injection prefixes, allowing user-controlled strings in CSV exports to auto-evaluate as formulas in spreadsheet applications. This can lead to data exfiltration and arbitrary formula execution when CSV files are opened in Excel, LibreOffice Calc, or Google Sheets. The issue is fixed in version 26.6.0.
AI Analysis
Technical Summary
The Actual app (actualbudget) before version 26.6.0 uses a custom CSV serializer in its CLI that inadequately escapes CSV content. Specifically, the escapeCsv helper only handles RFC 4180 delimiter, quote, and newline escaping but fails to neutralize formula-injection prefixes that spreadsheet software interprets as executable formulas. This vulnerability affects any CLI command that outputs user-controlled strings in CSV format, such as transactions, accounts, payees, categories, tags, category-groups, rules, schedules, and queries. Opening such CSV files in common spreadsheet applications can trigger formula execution, enabling potential data exfiltration or arbitrary formula execution. The vulnerability is addressed in version 26.6.0.
Potential Impact
An attacker can craft CSV files containing malicious formulas that execute automatically when opened in spreadsheet software, potentially leading to data exfiltration or arbitrary code execution within the spreadsheet context. The vulnerability requires local or limited privileges (AV:L, PR:L) and user interaction (UI:R) to open the malicious CSV file. The impact includes confidentiality and integrity loss but no availability impact. The CVSS score is 4.6 (medium severity).
Mitigation Recommendations
Upgrade the Actual app to version 26.6.0 or later, where the CSV injection vulnerability is fixed by properly neutralizing formula prefixes in CSV exports. Until upgrading, avoid opening CSV files generated by vulnerable versions in spreadsheet applications or sanitize CSV content manually to neutralize formula injection vectors.
CVE-2026-46672: CWE-1236: Improper Neutralization of Formula Elements in a CSV File in actualbudget actual
Description
Actualbudget's Actual app versions prior to 26.6.0 contain a CSV injection vulnerability in its CLI CSV serializer. The escapeCsv helper does not neutralize formula-injection prefixes, allowing user-controlled strings in CSV exports to auto-evaluate as formulas in spreadsheet applications. This can lead to data exfiltration and arbitrary formula execution when CSV files are opened in Excel, LibreOffice Calc, or Google Sheets. The issue is fixed in version 26.6.0.
CVSS v3.1
Score 4.6medium
Affected software
pkg:github/actualbudget/actualRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Actual app (actualbudget) before version 26.6.0 uses a custom CSV serializer in its CLI that inadequately escapes CSV content. Specifically, the escapeCsv helper only handles RFC 4180 delimiter, quote, and newline escaping but fails to neutralize formula-injection prefixes that spreadsheet software interprets as executable formulas. This vulnerability affects any CLI command that outputs user-controlled strings in CSV format, such as transactions, accounts, payees, categories, tags, category-groups, rules, schedules, and queries. Opening such CSV files in common spreadsheet applications can trigger formula execution, enabling potential data exfiltration or arbitrary formula execution. The vulnerability is addressed in version 26.6.0.
Potential Impact
An attacker can craft CSV files containing malicious formulas that execute automatically when opened in spreadsheet software, potentially leading to data exfiltration or arbitrary code execution within the spreadsheet context. The vulnerability requires local or limited privileges (AV:L, PR:L) and user interaction (UI:R) to open the malicious CSV file. The impact includes confidentiality and integrity loss but no availability impact. The CVSS score is 4.6 (medium severity).
Mitigation Recommendations
Upgrade the Actual app to version 26.6.0 or later, where the CSV injection vulnerability is fixed by properly neutralizing formula prefixes in CSV exports. Until upgrading, avoid opening CSV files generated by vulnerable versions in spreadsheet applications or sanitize CSV content manually to neutralize formula injection vectors.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-15T21:46:51.547Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4d6893c9d9e3dbe3d54561
Added to database: 07/07/2026, 20:58:59 UTC
Last enriched: 07/07/2026, 21:13:52 UTC
Last updated: 07/07/2026, 21:50:25 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.