A vulnerability marked as critical has been reported in actualbudget actual up to 26.4.x . Affected by this vulnerability is an unknown functionality of the component Environment Variable Handler . Performing a manipulation results in code injection. This vulnerability is cataloged as CVE-2026-42890 . The attack must be initiated from a local position. There is no exploit available. It is suggested to upgrade the affected component.