OsVault/npm/@actual-app/sync-server
npm

@actual-app/sync-server

5 known vulnerabilities · 0 critical · 0 high

CVE-2026-3089

Actual Sync Server has an Authenticated Path Traversal

Published Mar 10, 2026
CVE-2026-27638

@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode

Published Feb 27, 2026
GHSA-prp4-2f49-fcgp

Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers

Published Apr 23, 2026
GHSA-xvp7-8vm8-xfxx

Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers

Published Oct 20, 2025
CVE-2026-27584

ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints

Published Feb 24, 2026
Check your entire dependency tree at onceRun dependency scan →