CyberRota
← Ana sayfaya dön

CVE-2026-42890

UNKNOWN · CVSS N/A EPSS %0.13 Public Exploit

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-06-12T20:16:45.580 · Çekilme zamanı: 2026-06-30T12:18:38.027869+00:00

CyberRota Yorumu

Detaylı analiz gerekiyor.

Public Exploit Sinyali

Bu CVE için açıklama veya referanslarda public exploit / PoC / GitHub / Metasploit sinyali tespit edildi.

GitHub PoC Linkleri
github.com

Not: Bu bağlantılar yalnızca güvenlik araştırması ve doğrulama amacıyla listelenmiştir.

CVE
CVE-2026-42890
Severity
UNKNOWN
CVSS
N/A
EPSS
%0.13

Orijinal NVD Açıklaması

Actual is an open-source personal finance application. In the macOS desktop application version 25.x (built on Electron 39.2.7), the ELECTRON_RUN_AS_NODE fuse is not disabled, allowing an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app binary with the ELECTRON_RUN_AS_NODE=1 environment variable set. This converts the application into a Node.js REPL capable of executing arbitrary code that inherits the application's entitlements and code signature, bypassing macOS Gatekeeper review. Version 26.5.0 patches the issue.