Actual Sync Server

CVEs (2)

• CVE-2026-42604MedJun 12, 2026
  Actualbudget

  Actual
  risk 0.45cvss —epss —

  Actual is a local-first personal finance tool. The `POST /openid/config` endpoint in Actual Budget's sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 `client_secret`—to any caller who knows the bootstrap password. The endpoint…

• CVE-2026-43872MedJun 12, 2026
  Actualbudget

  Actual
  risk 0.27cvss —epss —

  Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. Version 26.5.0 fixes the issue.