@actual-app/sync-server (npm) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package @actual-app/sync-server, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (6)
CVE-2026-33318 — CVSS 8.8 (high): Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to…
CVE-2026-49229 — CVSS 8.3 (high): Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login…
CVE-2026-27584 — CVSS 7.5 (high): Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server…
CVE-2026-27638 — CVSS 7.1 (high): Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`)…
CVE-2026-3089 — CVSS 6.5 (medium): Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper…
CVE-2026-46700 — CVSS 4.3 (medium): Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that…