CSV Injection Affecting @actual-app/core package, versions <26.6.0


Severity

Recommended
0.0
low
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.19% (9th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-ACTUALAPPCORE-17818141
  • published5 Jul 2026
  • disclosed22 Jun 2026
  • creditoffset

Introduced: 22 Jun 2026

NewCVE-2026-46672  (opens in a new tab)
CWE-1236  (opens in a new tab)

How to fix?

Upgrade @actual-app/core to version 26.6.0 or higher.

Overview

Affected versions of this package are vulnerable to CSV Injection via the escapeCsv function, which fails to neutralize formula-triggering prefixes in user-controlled fields when exporting data to CSV format. An attacker can cause arbitrary formula execution or data exfiltration by injecting specially crafted strings into fields that are later exported and opened in spreadsheet applications.

CVSS Base Scores

version 4.0
version 3.1