Launch Week Day 1: Announcing Security Design Review
Start for Free
npm

@actual-app/sync-server

View on npm registry
5 Total advisories
5 Vulnerabilities
0 Malware

Vulnerabilities

MEDIUM 4.2
npm

GHSA-xvp7-8vm8-xfxx

Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
HIGH 8.8
npm

CVE-2026-33318

Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers
UNKNOWN
npm

CVE-2026-3089

Actual Sync Server has an Authenticated Path Traversal
UNKNOWN
npm

CVE-2026-27638

@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
UNKNOWN
npm

CVE-2026-27584

ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes