Whisper Money
CVE-2026-23844
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue.
AnalysisAI
Whisper Money versions before 0.1.5 contain an insecure direct object reference vulnerability that allows authenticated users to modify bank account balances belonging to other users. An attacker with valid credentials can exploit this to manipulate financial data across multiple accounts without authorization. A patch is available in version 0.1.5 and should be applied immediately.
Technical ContextAI
Affects Whisper Money. Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue.
RemediationAI
A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.
Same weakness CWE-488 – Exposure of Data Element to Wrong Session
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today