CVE-2026-43872
Description
Actual server prior to 26.5.0 suffers from path traversal in multiple endpoints, allowing attackers to read or write arbitrary files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Actual server prior to 26.5.0 suffers from path traversal in multiple endpoints, allowing attackers to read or write arbitrary files.
Vulnerability
Actual, an open-source personal finance application, contains a path traversal vulnerability in its server component (actual-server) prior to version 26.5.0. Multiple endpoints fail to properly sanitize user-supplied path input, enabling an attacker to construct paths that escape the intended directory. This issue is documented in GitHub advisory GHSA-4wf8-vhhr-4gpv [2].
Exploitation
An attacker can exploit this vulnerability by sending crafted HTTP requests to vulnerable endpoints that accept path parameters. By using sequences like ../ or absolute path references, the attacker can traverse outside the restricted directory. No authentication is required for exploitation if the endpoints are publicly exposed [2].
Impact
Successful exploitation allows an attacker to read arbitrary files on the server, including sensitive configuration files, or write files to arbitrary locations. This could lead to disclosure of user data, server compromise, or remote code execution depending on the written file type [2].
Mitigation
The vulnerability is fixed in version 26.5.0 of Actual, released on June 12, 2026 [1]. Users should upgrade to this version immediately. No workarounds are known; only the patched version resolves the issue [2].
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <26.5.0
- Range: <26.5.0
Patches
14c62e2a75d48Empty commit to bump CI
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.