CSV Injection Affecting @actual-app/core package, versions <26.6.0


Severity

Recommended
0.0
low
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.29% (21st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-ACTUALAPPCORE-17818137
  • published5 Jul 2026
  • disclosed22 Jun 2026
  • creditoffset

Introduced: 22 Jun 2026

NewCVE-2026-50179  (opens in a new tab)
CWE-1236  (opens in a new tab)

How to fix?

Upgrade @actual-app/core to version 26.6.0 or higher.

Overview

Affected versions of this package are vulnerable to CSV Injection in the exportToCSV and exportQueryToCSV processes, where user-controlled input from fields such as Payee and Notes is passed to CSV export without neutralizing formula-triggering characters. An attacker can cause confidential data to be exfiltrated or displayed incorrectly by crafting malicious input that, when exported and opened in spreadsheet software, is interpreted as a formula. This can lead to the exposure of sensitive information or manipulation of displayed data when the exported CSV is opened by a victim or shared recipient.

CVSS Base Scores

version 4.0
version 3.1