16 matches found
CVE-2026-46700
Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session and does not verify the caller is an admin, while the sibling POST /secret/ handler enforces an admin check in OpenID mode. Any...
CVE-2026-46700
Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session and does not verify the caller is an admin, while the sibling POST /secret/ handler enforces an admin check in OpenID mode. Any...
PT-2026-51448
Name of the Vulnerable Software and Affected Versions @actual-app/sync-server versions prior to 26.6.0 Description An authorization asymmetry exists in the @actual-app/sync-server component of Actual. In OpenID multi-user deployments, the GET /secret/:name endpoint only verifies that a user has a...
EUVD-2025-35091
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers...
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
Summary The GoCardless components in Actualbudget in are logging responses to STDOUT in a parsed format using console.logand console.debug Which in this version of node is an alias for console.log. This is exposing sensitive information in log files including, but not limited to: - Gocardless...
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
The GoCardless components in Actualbudget in are logging responses to STDOUT in a parsed format using console.logand console.debug Which in this version of node is an alias for console.log. This is exposing sensitive information in log files including, but not limited to: - Gocardless bearer...
EUVD-2023-41745
Malicious code in bioql PyPI...
CVE-2023-37871
Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6...
CVE-2023-37871
Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6...
CVE-2023-37871
Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6...
Authorization
Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6...
CVE-2023-37871
CVE-2023-37871: The WooCommerce GoCardless Gateway plugin (
CVE-2023-37871 WordPress WooCommerce GoCardless Gateway Plugin <= 2.5.6 is vulnerable to Insecure Direct Object References (IDOR)
Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6...
WordPress Plugin GoCardless Security Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...
WooCommerce GoCardless Gateway < 2.5.7 - Unauthenticated Sensitive Information Disclosure
The plugin does not check user permissions before displaying sensitive information about an Order, leading to sensitive information disclosure as well as the ability for an unauthenticated user to cancel any guest's order...
WordPress WooCommerce GoCardless Gateway Plugin <= 2.5.6 is vulnerable to Insecure Direct Object References (IDOR)
Software WooCommerce GoCardless Gateway Type Plugin Vulnerable versions = 2.5.6 Fixed in 2.5.7 OWASP Top 10 A5: Broken Access Control Classification Insecure Direct Object References IDOR CVE CVE-2023-37871 Patch priority Low CVSS severity Low 8.2 Developer Claim ownership PSID 5a7891bcb8a5 Credi...