CVE-2026-50007
The CVE affects the open-source personal finance app “Actual.” Before version 26.7.0, a missing authorization flaw allows a non-owner shared user (with user_access on a budget file) to perform file-management actions that should be owner- or admin-only. Specifically, endpoints such as /delete-use...