PatchSiren cyber security CVE debrief
CVE-2026-46672 actualbudget CVE debrief
The Actual local-first personal finance app, prior to version 26.6.0, contains a CSV injection vulnerability. The @actual-app/cli package includes a custom CSV serializer that fails to properly neutralize standard CSV formula-injection prefixes. This issue allows for the execution of arbitrary formulas when the resulting CSV file is opened in spreadsheet applications like Excel, LibreOffice Calc, or Google Sheets. The vulnerability arises from the escapeCsv helper function in packages/cli/src/output.ts, which only handles RFC 4180 delimiter, quote, and newline escaping. Multiple CLI commands that output object arrays with user-controlled strings are affected, including those for transactions, accounts, payees, categories, tags, category groups, rules, schedules, and queries. An attacker could exploit this vulnerability to exfiltrate data and execute arbitrary formulas. The issue has been fixed in version 26.6.0.
- Vendor
- actualbudget
- Product
- actual
- CVSS
- MEDIUM 4.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Users of the Actual local-first personal finance app, particularly those who use the command-line interface (CLI) and export data to CSV files, should be aware of this vulnerability. Additionally, security teams and administrators responsible for ensuring the security of financial data and systems should take note of this issue and verify that the patched version (26.6.0 or later) is deployed.
Technical summary
The Actual app's CLI utility, @actual-app/cli, includes a custom CSV serializer that is vulnerable to CSV injection attacks. Specifically, the escapeCsv helper function in packages/cli/src/output.ts does not properly neutralize standard CSV formula-injection prefixes. This allows attackers to inject malicious formulas into CSV files, which can be executed when opened in spreadsheet software. The vulnerability affects multiple CLI commands that output object arrays with user-controlled strings. The issue has been addressed in version 26.6.0.
Defensive priority
Medium
Recommended defensive actions
- Upgrade to version 26.6.0 or later of the Actual app
- Review and validate CSV exports for potential malicious content
- Implement additional security measures for handling and exporting sensitive data
- Monitor for suspicious activity related to CSV exports and formula execution
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-07T21:17:25.420Z and has not been modified since then. The NVD entry is currently 4.6 (MEDIUM). Evidence is limited to public sources and may not reflect the full scope of affected systems or potential impacts. Defenders should verify the official CVE record and NVD entry for the most current information and assess their exposure based on their specific environment and configurations.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T21:17:25.420Z and has not been modified since then.