What is GHSA-7rvm-xjpp-63r9?

GHSA-7rvm-xjpp-63r9 is a security advisory published by GitHub Security Advisories with Medium severity. actual Allows Electron to Run As Node

Which CVE IDs does GHSA-7rvm-xjpp-63r9 cover?

GHSA-7rvm-xjpp-63r9 covers the following CVE IDs: CVE-2026-42890. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-7rvm-xjpp-63r9?

GHSA-7rvm-xjpp-63r9 affects 1 product, including: npm/actual:\u003c 26.5.0.

GHSA-7rvm-xjpp-63r9Medium

actual Allows Electron to Run As Node

Vendor

GitHub Security Advisories

Published

June 8, 2026

Last Modified

June 8, 2026

🔗 CVE IDs covered (1)

CVE-2026-42890 →

📋 Description

Summary

A electron run as node vulnerability was identified in actual (macOS application, version 25.x (Electron 39.2.7)).

Vulnerability Type: Electron Run As Node

Description

ELECTRON_RUN_AS_NODE fuse enabled (Electron 39.2.7) — app can be converted to Node.js REPL for arbitrary code execution

Impact

An attacker who can place a file on disk or control command-line arguments can invoke the signed Actual.app binary with ELECTRON_RUN_AS_NODE=1 to execute arbitrary Node.js code inheriting the apps entitlements and code signature. This bypasses macOS Gatekeeper review of the payload: the Node.js script runs as Actual, under Actuals bundle ID and signed identity, and has access to any entitlements the app carries (network, file access, keychain, automation). Combined with any downloader (browser, mail attachment, Slack link) this becomes a signed-binary-abuse primitive on every Mac with Actual installed.

🎯 Affected products1

npm/actual:< 26.5.0