pkg:npm/@actual-app/sync-server

4 total CVEsHIGH1

✅ Check your installed version

All known vulnerabilities

  • HIGH8.8CVE-2026-33318Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers
    from 0, < 26.4.0
  • CVE-2026-3089Actual Sync Server has an Authenticated Path Traversal
    from 0, < 26.3.0
  • CVE-2026-27638@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
    from 0, < 26.2.1
  • CVE-2026-27584ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints
    from 0, < 26.2.1