Description
Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. Version 26.5.0 fixes the issue.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Actual application contains a path traversal flaw in several web endpoints that improperly sanitizes file path inputs. An attacker can alter the path segment of a request to reference files outside the intended directory, effectively reading arbitrary files served by the application. The weakness is classified as CWE‑22 and is not documented as requiring authentication, implying the flaw could be exploited by anyone who can reach the vulnerable endpoints.

Affected Systems

The vendor is actualbudget, offering the open‑source personal finance application named Actual. Versions prior to 26.5.0 are affected. Versions 26.5.0 and later contain the patch.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation at present. The issue is not listed in the CISA KEV catalog. The vulnerability is likely exploitable via exposed HTTP endpoints, representing an external network attack vector. Applying the official update reduces the risk window, as the flaw allows file reads without authentication or privilege escalation.

Generated by OpenCVE AI on June 12, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official vendor update to version 26.5.0 or newer
  • Block external access to the vulnerable API routes temporarily by configuring the reverse proxy or firewall to deny requests to those endpoints
  • After updating, review server file permissions and logs for any unauthorized file access that may have occurred before the patch was applied

Generated by OpenCVE AI on June 12, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Actualbudget
Actualbudget actual
Vendors & Products Actualbudget
Actualbudget actual

Fri, 12 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. Version 26.5.0 fixes the issue.
Title actual-server has a path traversal vulnerability
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Actualbudget Actual
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T19:05:42.615Z

Reserved: 2026-05-04T15:17:09.328Z

Link: CVE-2026-43872

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T20:16:45.897

Modified: 2026-06-12T20:16:45.897

Link: CVE-2026-43872

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T21:00:20Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')