CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-50179

mediumCVSS 4.2covered by 1 sourcefirst seen 2026-07-07
Actual is a local-first personal finance tool. Prior to 26.6.0, exportToCSV and exportQueryToCSV in packages/loot-core/src/server/transactions/export/export-to-csv.ts pass user-controlled Payee, Notes, Account, and Category strings to csv-stringify with no cast callback and no formula-prefix neutralization. Strings that begin with equals sign, plus, minus, at sign, tab, or carriage return survive verbatim into the exported CSV, and when a recipient opens the file in Excel, LibreOffice Calc, or Google Sheets, the strings are interpreted as formulas, enabling transaction data exfiltration and attacker-chosen spreadsheet display values. This issue is fixed in version 26.6.0.

⚡ Watch CVE-2026-50179

Get an email if CVE-2026-50179 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-50179

CVE.org record

Embed the live status

CVE-2026-50179 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-50179 status](https://www.csirts.com/badge/CVE-2026-50179)](https://www.csirts.com/cve/CVE-2026-50179)