pkg:npm/@actual-app/sync-server
4 total CVEsHIGH1
✅ Check your installed version
All known vulnerabilities
HIGH8.8CVE-2026-33318Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers from 0, < 26.4.0
—CVE-2026-3089Actual Sync Server has an Authenticated Path Traversal from 0, < 26.3.0
—CVE-2026-27638@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode from 0, < 26.2.1
—CVE-2026-27584ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints from 0, < 26.2.1