Package impact
npm / @actual-app/sync-server
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-33318 | unknown | — | — | 1mo ago | Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers | |||
| CVE-2026-3089 | unknown | — | — | 3mo ago | Actual Sync Server has an Authenticated Path Traversal | |||
| CVE-2026-27638 | unknown | — | — | 3mo ago | @actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode | |||
| CVE-2026-27584 | unknown | — | — | 3mo ago | ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints |