Every CVE whose affected-product data names Actualbudget Actual, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (4)
CVE-2026-33318 — CVSS 8.8 (high): Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to…
CVE-2026-27584 — CVSS 7.5 (high): Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server…
CVE-2026-27638 — CVSS 7.1 (high): Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`)…
CVE-2026-3089 — CVSS 6.5 (medium): Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper…