CyberRota
← Ana sayfaya dön

CVE-2026-50179

MEDIUM · CVSS 4.2 Public Exploit

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-07-07T22:16:52.923 · Çekilme zamanı: 2026-07-08T00:05:58.577532+00:00

CyberRota Yorumu

Detaylı analiz gerekiyor.

Public Exploit Sinyali

Bu CVE için açıklama veya referanslarda public exploit / PoC / GitHub / Metasploit sinyali tespit edildi.

Not: Bu bağlantılar yalnızca güvenlik araştırması ve doğrulama amacıyla listelenmiştir.

CVE
CVE-2026-50179
Severity
MEDIUM
CVSS
4.2
EPSS
Yok
Office

Orijinal NVD Açıklaması

Actual is a local-first personal finance tool. Prior to 26.6.0, exportToCSV and exportQueryToCSV in packages/loot-core/src/server/transactions/export/export-to-csv.ts pass user-controlled Payee, Notes, Account, and Category strings to csv-stringify with no cast callback and no formula-prefix neutralization. Strings that begin with equals sign, plus, minus, at sign, tab, or carriage return survive verbatim into the exported CSV, and when a recipient opens the file in Excel, LibreOffice Calc, or Google Sheets, the strings are interpreted as formulas, enabling transaction data exfiltration and attacker-chosen spreadsheet display values. This issue is fixed in version 26.6.0.