Medium severity5.7NVD Advisory· Published Apr 8, 2026· Updated Apr 16, 2026

CVE-2026-39901

Description

monetr is a budgeting application focused on planning for recurring expenses. Prior to 1.12.3, a transaction integrity flaw allows an authenticated tenant user to soft-delete synced non-manual transactions through the transaction update endpoint, despite the application explicitly blocking deletion of those transactions via the normal DELETE path. This bypass undermines the intended protection for imported transaction records and allows protected transactions to be hidden from normal views. This vulnerability is fixed in 1.12.3.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/monetr/monetrGo	< 1.12.3	1.12.3

Affected products

Monetr/Monetrinferred
Range: <1.12.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-hqxq-hwqf-wg83ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-39901ghsaADVISORY
github.com/monetr/monetr/releases/tag/v1.12.3ghsaWEB
github.com/monetr/monetr/security/advisories/GHSA-hqxq-hwqf-wg83nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.371
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000