CVE-2026-42890
Actual is an open-source personal finance application
Published: 2026-06-12 · Last updated: 2026-06-12
Severity and scoring
- CWE
- CWE-94
Description
Actual is an open-source personal finance application. In the macOS desktop application version 25.x (built on Electron 39.2.7), the ELECTRON_RUN_AS_NODE fuse is not disabled, allowing an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app binary with the ELECTRON_RUN_AS_NODE=1 environment variable set. This converts the application into a Node.js REPL capable of executing arbitrary code that inherits the application's entitlements and code signature, bypassing macOS Gatekeeper review. Version 26.5.0 patches the issue.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-12176 — A vulnerability has been found in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 (4.3 MEDIUM)
- CVE-2026-54057 — Kitty is a cross-platform GPU based terminal
- CVE-2026-12130 — A security flaw has been discovered in CodeAstro Human Resource Management System 1.0 (3.5 LOW)
- CVE-2026-12129 — A vulnerability was identified in CodeAstro Human Resource Management System 1.0 (3.5 LOW)
- CVE-2026-42851 — Kitty is a cross-platform GPU based terminal (7.8 HIGH)