CVE-2026-42890
published 2026-06-12CVE-2026-42890: Actual is an open-source personal finance application. In the macOS desktop application version 25.x (built on Electron 39.2.7), the ELECTRON_RUN_AS_NODE fuse…
PriorityP425medium4.8CVSS 4.0
AVLACLATNPRLUINVCLVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.13%
2.7th percentile
Actual is an open-source personal finance application. In the macOS desktop application version 25.x (built on Electron 39.2.7), the ELECTRON_RUN_AS_NODE fuse is not disabled, allowing an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app binary with the ELECTRON_RUN_AS_NODE=1 environment variable set. This converts the application into a Node.js REPL capable of executing arbitrary code that inherits the application's entitlements and code signature, bypassing macOS Gatekeeper review. Version 26.5.0 patches the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| actualbudget | actual | < 26.5.0 | 26.5.0 |
| actualbudget | actual | >= 0 < 26.5.0 | 26.5.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
actualbudget actual up to 26.4.x Environment Variable code injection (GHSA-7rvm-xjpp-63r9)
vuldb·2026-06-12·CVSS 4.8
CVE-2026-42890 [MEDIUM] actualbudget actual up to 26.4.x Environment Variable code injection (GHSA-7rvm-xjpp-63r9)
A vulnerability marked as critical has been reported in actualbudget actual up to 26.4.x. Affected by this vulnerability is an unknown functionality of the component Environment Variable Handler. Performing a manipulation results in code injection.
This vulnerability is cataloged as CVE-2026-42890. The attack must be initiated from a local position. There is no exploit available.
It is suggested to upgrade the affected component.
GHSA
actual Allows Electron to Run As Node
ghsa·2026-06-08
CVE-2026-42890 [MEDIUM] CWE-94 actual Allows Electron to Run As Node
actual Allows Electron to Run As Node
## Summary
A electron run as node vulnerability was identified in `actual` (macOS application, version `25.x (Electron 39.2.7)`).
**Vulnerability Type:** Electron Run As Node
## Description
ELECTRON_RUN_AS_NODE fuse enabled (Electron 39.2.7) — app can be converted to Node.js REPL for arbitrary code execution
## Impact
An attacker who can place a file on disk or control command-line arguments can invoke the signed Actual.app binary with ELECTRON_RUN_AS_NODE=1 to execute arbitrary Node.js code inheriting the apps entitlements and code signature. This bypasses macOS Gatekeeper review of the payload: the Node.js script runs as Actual, under Actuals bundle ID and signed identity, and has access to any entitlements the app carries (network, file acces
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-12
Published