Actual

2 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-27638 HIGH POC PATCH This Week

Actual personal finance application prior to version 26.2.1 fails to enforce access controls on multi-user sync API endpoints, allowing any authenticated user to read, modify, or overwrite other users' budget files. Public exploit code exists for this vulnerability. Update to version 26.2.1 or later to remediate.

Authentication Bypass Actual
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27584 HIGH POC PATCH This Week

Actual is a local-first personal finance tool. [CVSS 7.5 HIGH]

Authentication Bypass Information Disclosure Actual
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27638
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Actual personal finance application prior to version 26.2.1 fails to enforce access controls on multi-user sync API endpoints, allowing any authenticated user to read, modify, or overwrite other users' budget files. Public exploit code exists for this vulnerability. Update to version 26.2.1 or later to remediate.

Authentication Bypass Actual
NVD GitHub
CVE-2026-27584
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Actual is a local-first personal finance tool. [CVSS 7.5 HIGH]

Authentication Bypass Information Disclosure Actual
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy