Lucene search
K

9 matches found

Snyk
Snyk
added 2026/06/22 11:48 p.m.4 views

CSV Injection

Overview @actual-app/cli is a CLI for Actual Budget Affected versions of this package are vulnerable to CSV Injection in the exportToCSV and exportQueryToCSV processes, where user-controlled input from fields such as Payee and Notes is passed to CSV export without neutralizing formula-triggering...

4.2CVSS5.9AI score0.00286EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/22 9:42 p.m.5 views

CSV Injection

Overview @actual-app/cli is a CLI for Actual Budget Affected versions of this package are vulnerable to CSV Injection via the escapeCsv function, which fails to neutralize formula-triggering prefixes in user-controlled fields when exporting data to CSV format. An attacker can cause arbitrary...

4.6CVSS6.2AI score0.00188EPSS
Exploits0References2
NVD
NVD
added 2026/06/12 8:16 p.m.16 views

CVE-2026-42604

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

9.1CVSS0.004EPSS
Exploits0References2
Circl
Circl
added 2026/06/12 8:15 p.m.5 views

CVE-2026-49229

creationtimestamp| type| source ---|---|--- 2026-06-12 20:15:56+00:00| published-proof-of-concept| https://github.com/actualbudget/actual/security/advisories/GHSA-cq9c-6w48-qmfg 2026-07-07 23:42:50+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mq3rthnc4p2e...

8.3CVSS5.9AI score0.00441EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 6:42 p.m.31 views

CVE-2026-42604 Actual has an OpenID `client_secret` Disclosure via Broken Authorization Guard in `/openid/config`

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

9.1CVSS0.004EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:42 p.m.9 views

EUVD-2026-36543

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

9.1CVSS5.3AI score0.004EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.22 views

PT-2026-48963

Name of the Vulnerable Software and Affected Versions Actual Budget sync-server versions prior to 26.5.0 Description The POST /openid/config endpoint exposes the complete OpenID Connect configuration, which includes the OAuth2 client secret. This information is accessible to any user who possesse...

9.1CVSS5.2AI score0.004EPSS
Exploits0References4
Circl
Circl
added 2026/02/26 10:4 p.m.8 views

CVE-2026-27638

creationtimestamp| type| source ---|---|--- 2026-02-26 22:04:01+00:00| published-proof-of-concept| https://github.com/actualbudget/actual/security/advisories/GHSA-qmjj-p7m9-wjrv...

7.1CVSS5.8AI score0.00295EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/02/24 12:0 a.m.7 views

actual 访问控制错误漏洞

Actual is a personal finance tool developed by Actual OpenSource. Versions of Actual prior to 26.2.1 contained an access control vulnerability. This vulnerability stemmed from the lack of an authentication middleware in the ActualBudget server component, which could allow unverified users to acce...

9.2CVSS5.8AI score0.00395EPSS
Exploits1References2
Rows per page
Query Builder