Lucene search
K

7 matches found

NVD
NVD
added 2026/06/12 8:16 p.m.12 views

CVE-2026-42604

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

9.1CVSS0.004EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/12 6:42 p.m.12 views

CVE-2026-42604 Actual has an OpenID `client_secret` Disclosure via Broken Authorization Guard in `/openid/config`

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

9.1CVSS5.3AI score0.004EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 6:42 p.m.22 views

CVE-2026-42604

The CVE concerns Actual Budget’s sync-server (local-first Personal Finance tool). Versions ≤ 26.4.0 expose the full OpenID Connect configuration, including the OAuth2 client_secret, via POST /openid/config to callers who know the bootstrap password. The endpoint lacks authentication and rate limi...

9.1CVSS5.3AI score0.004EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:42 p.m.8 views

EUVD-2026-36543

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

9.1CVSS5.3AI score0.004EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 6:42 p.m.27 views

CVE-2026-42604 Actual has an OpenID `client_secret` Disclosure via Broken Authorization Guard in `/openid/config`

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

9.1CVSS0.004EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.18 views

PT-2026-48963

Name of the Vulnerable Software and Affected Versions Actual Budget sync-server versions prior to 26.5.0 Description The POST /openid/config endpoint exposes the complete OpenID Connect configuration, which includes the OAuth2 client secret. This information is accessible to any user who possesse...

9.1CVSS5.2AI score0.004EPSS
Exploits0References4
OSV
OSV
added 2025/08/28 1:33 p.m.2 views

GHSA-8PXW-9C75-6W56 NeuVector admin account has insecure default password

Impact A vulnerability exists in NeuVector versions up to and including 5.4.5, where a fixed string is used as the default password for the built-in admin account. If this password is not changed immediately after deployment, any workload with network access within the cluster could use the defau...

9.8CVSS7.2AI score0.0052EPSS
Exploits0References4
Rows per page
Query Builder