VYPR
Medium severity6.5NVD Advisory· Published Mar 9, 2026· Updated Apr 9, 2026

CVE-2026-3089

CVE-2026-3089

Description

Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.This issue affects prior versions of Actual Sync Server 26.3.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@actual-app/sync-servernpm
< 26.3.026.3.0

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.

CVE-2026-3089 · Medium · VYPR