Actualbudget Actual
3 CVEs affecting Actualbudget Actual. Latest disclosed: 2026-04-24. Critical: 0, High: 1.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-33318 | High | 8.8 | 2026-04-24 | Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migr… |
CVE-2026-27638 | | 2026-02-26 | Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the a… | |
CVE-2026-27584 | | 2026-02-24 | Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unaut… |