CVE-2026-43872

UNKNOWN 0.0

actual-server has a path traversal vulnerability

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

8th

Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. Version 26.5.0 fixes the issue.

CWE	CWE-22
Vendor	actualbudget
Product	actual
Published	Jun 12, 2026

Stay Ahead of the Next One

Get instant alerts for actualbudget actual

Be the first to know when new unknown vulnerabilities affecting actualbudget actual are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

actualbudget / actual

< 26.5.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/actualbudget/actual/security/advisories/GHSA-4wf8-vhhr-4gpv actualbudget.org: https://actualbudget.org/blog/release-26.5.0