Lucene search
K

101 matches found

NVD
NVD
added 2026/06/12 8:16 p.m.12 views

CVE-2026-42604

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

9.1CVSS0.004EPSS
Exploits0References2
NVD
NVD
added 2026/06/12 8:16 p.m.10 views

CVE-2026-43872

Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. Version 26.5.0 fixes the issue...

5.3CVSS0.00303EPSS
Exploits0References2
NVD
NVD
added 2026/06/12 8:16 p.m.11 views

CVE-2026-42890

Actual is an open-source personal finance application. In the macOS desktop application version 25.x built on Electron 39.2.7, the ELECTRONRUNASNODE fuse is not disabled, allowing an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app binary wit...

4.8CVSS0.00126EPSS
Exploits0References2
Circl
Circl
added 2026/06/12 8:15 p.m.5 views

CVE-2026-49229

creationtimestamp| type| source ---|---|--- 2026-06-12 20:15:56+00:00| published-proof-of-concept| https://github.com/actualbudget/actual/security/advisories/GHSA-cq9c-6w48-qmfg...

5.8AI score0.00038EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/12 7:5 p.m.29 views

CVE-2026-43872 actual-server has a path traversal vulnerability

Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. Version 26.5.0 fixes the issue...

5.3CVSS0.00303EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 7:5 p.m.19 views

CVE-2026-43872

CVE-2026-43872 affects the open-source personal finance app Actual prior to version 26.5.0 , where several endpoints are vulnerable to a path traversal flaw. The root cause is not explicitly detailed in the provided documents beyond the vulnerability class; the issue is resolved by upgrading to 2...

5.3CVSS5.3AI score0.00303EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/12 7:5 p.m.5 views

CVE-2026-43872 actual-server has a path traversal vulnerability

Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. Version 26.5.0 fixes the issue...

5.3CVSS5.3AI score0.00303EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 6:58 p.m.25 views

CVE-2026-42890

CVE-2026-42890 affects the macOS desktop application Actual (version 25.x, Electron 39.2.7). The ELECTRON_RUN_AS_NODE fuse was not disabled, allowing a local attacker who can place a file on disk or influence command-line arguments to invoke Actual.app with ELECTRON_RUN_AS_NODE=1. This converts t...

4.8CVSS5.6AI score0.00126EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 6:58 p.m.28 views

CVE-2026-42890 actual Allows Electron to Run As Node

Actual is an open-source personal finance application. In the macOS desktop application version 25.x built on Electron 39.2.7, the ELECTRONRUNASNODE fuse is not disabled, allowing an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app binary wit...

4.8CVSS0.00126EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 6:42 p.m.26 views

CVE-2026-42604 Actual has an OpenID `client_secret` Disclosure via Broken Authorization Guard in `/openid/config`

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

9.1CVSS0.004EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:42 p.m.7 views

EUVD-2026-36543

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

9.1CVSS5.3AI score0.004EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.17 views

PT-2026-48963

Name of the Vulnerable Software and Affected Versions Actual Budget sync-server versions prior to 26.5.0 Description The POST /openid/config endpoint exposes the complete OpenID Connect configuration, which includes the OAuth2 client secret. This information is accessible to any user who possesse...

9.1CVSS5.2AI score0.004EPSS
Exploits0References4
vulnersOsv
vulnersOsv
added 2026/06/08 6:21 p.m.6 views

res (>=0.2.0 <=0.3.0), scroller-motion (>=0.0.1-beta.2 <=0.0.1-beta.3) potentially affected by CVE-2026-42890 via actual (>=0.2.0 <=0.4.0)

actual NPM version =0.2.0, =0.2.0, =0.0.1-beta.2, =0.0.1-beta.3 Source cves: CVE-2026-42890 Source advisory: OSV:GHSA-7RVM-XJPP-63R9...

5.5AI score0.00126EPSS
Exploits0
OSV
OSV
added 2026/06/08 6:21 p.m.5 views

GHSA-7RVM-XJPP-63R9 actual Allows Electron to Run As Node

Summary A electron run as node vulnerability was identified in actual macOS application, version 25.x Electron 39.2.7. Vulnerability Type: Electron Run As Node Description ELECTRONRUNASNODE fuse enabled Electron 39.2.7 — app can be converted to Node.js REPL for arbitrary code execution Impact An...

4.8CVSS6AI score0.00126EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.11 views

PT-2026-47558

Summary A electron run as node vulnerability was identified in actual macOS application, version 25.x Electron 39.2.7. Vulnerability Type: Electron Run As Node Description ELECTRON RUN AS NODE fuse enabled Electron 39.2.7 — app can be converted to Node.js REPL for arbitrary code execution Impact ...

4.8CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.11 views

PT-2026-47599

Name of the Vulnerable Software and Affected Versions Actual versions prior to 26.5.0 Description In the macOS desktop application, the ELECTRON RUN AS NODE fuse is not disabled. This allows an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app...

4.8CVSS5.8AI score0.00126EPSS
Exploits0References5
Packet Storm News
Packet Storm News
added 2026/05/12 12:0 a.m.8 views

Behavioral Integrity Verification for AI Agent Skills

Agent skills extend LLM agents with privileged third-party capabilities such as filesystem access, credentials, network calls, and shell execution. Existing safety work catches malicious prompts and risky runtime actions, but the skill artifact itself goes unverified. We formalize this as the...

5.9AI score
Exploits0
Cvelist
Cvelist
added 2026/04/24 2:13 a.m.34 views

CVE-2026-33318 Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers

Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user including BASIC role can escalate to ADMIN on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: POST /account/change-password has no authorization check, allowin...

8.8CVSS0.00472EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 9:23 p.m.6 views

Missing Authorization

Overview @actual-app/sync-server is an actual syncing server Affected versions of this package are vulnerable to Missing Authorization via the change-password endpoint, which lacks proper authorization checks. An attacker can gain administrative privileges by overwriting the password hash for the...

8.8CVSS5.6AI score0.00472EPSS
Exploits1References3
OSV
OSV
added 2026/03/25 11:16 a.m.4 views

UBUNTU-CVE-2026-23307

In the Linux kernel, the following vulnerability has been resolved: can: emsusb: emsusbreadbulkcallback: check the proper length of a message When looking at the data in a USB urb, the actuallength is the size of the buffer passed to the driver, not the transferbufferlength which is set by the...

5.5CVSS5.9AI score0.00123EPSS
Exploits0References9
Rows per page
Query Builder