npm
actual
7 known vulnerabilities · 0 critical · 0 high
GHSA-7rvm-xjpp-63r9
actual Allows Electron to Run As Node
Published Jun 8, 2026
@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
Published Feb 27, 2026
GHSA-prp4-2f49-fcgp
Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers
Published Apr 23, 2026
GHSA-xvp7-8vm8-xfxx
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
Published Oct 20, 2025
ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints
Published Feb 24, 2026
MAL-2022-840
Malicious code in actual-malware (npm)
Published Jun 20, 2022
Check your entire dependency tree at onceRun dependency scan →