Actual
Monthly
Path traversal across multiple endpoints in Actual, the open-source self-hosted personal finance application, allows authenticated low-privilege users to write files outside intended server directories in all versions prior to 26.5.0. The CVSS 4.0 vector confirms network-accessible exploitation with low-privilege authentication required and impact limited to write operations on the vulnerable system only - no confidentiality or availability impact is indicated. No active exploitation has been confirmed (not in CISA KEV), and the EPSS score of 0.03% (8th percentile) reflects minimal observed exploitation interest at time of analysis.
Unauthenticated access to the `POST /openid/config` endpoint in Actual Budget sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration-including the OAuth2 `client_secret`-to any caller who can supply the bootstrap password. Because the endpoint enforces no rate limiting, the bootstrap password itself is brute-forceable, compounding the exposure. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (11th percentile) reflects low current exploitation probability; however, internet-exposed instances with OIDC configured are at meaningful risk of credential harvesting.
Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions up to 26.3.0 is affected by path traversal.
Actual personal finance application prior to version 26.2.1 fails to enforce access controls on multi-user sync API endpoints, allowing any authenticated user to read, modify, or overwrite other users' budget files. Public exploit code exists for this vulnerability. Update to version 26.2.1 or later to remediate.
Actual is a local-first personal finance tool. [CVSS 7.5 HIGH]
Path traversal across multiple endpoints in Actual, the open-source self-hosted personal finance application, allows authenticated low-privilege users to write files outside intended server directories in all versions prior to 26.5.0. The CVSS 4.0 vector confirms network-accessible exploitation with low-privilege authentication required and impact limited to write operations on the vulnerable system only - no confidentiality or availability impact is indicated. No active exploitation has been confirmed (not in CISA KEV), and the EPSS score of 0.03% (8th percentile) reflects minimal observed exploitation interest at time of analysis.
Unauthenticated access to the `POST /openid/config` endpoint in Actual Budget sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration-including the OAuth2 `client_secret`-to any caller who can supply the bootstrap password. Because the endpoint enforces no rate limiting, the bootstrap password itself is brute-forceable, compounding the exposure. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (11th percentile) reflects low current exploitation probability; however, internet-exposed instances with OIDC configured are at meaningful risk of credential harvesting.
Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions up to 26.3.0 is affected by path traversal.
Actual personal finance application prior to version 26.2.1 fails to enforce access controls on multi-user sync API endpoints, allowing any authenticated user to read, modify, or overwrite other users' budget files. Public exploit code exists for this vulnerability. Update to version 26.2.1 or later to remediate.
Actual is a local-first personal finance tool. [CVSS 7.5 HIGH]