Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40actual-app/sync-server@26.2.0-nightly.20260105
Typenpm
Namespace@actual-app
Namesync-server
Version26.2.0-nightly.20260105
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version26.4.0
Latest_non_vulnerable_version26.4.0
Affected_by_vulnerabilities
0
url VCID-54jg-avs1-q3ex
vulnerability_id VCID-54jg-avs1-q3ex
summary Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.This issue affects prior versions of Actual Sync Server 26.3.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-3089
reference_id
reference_type
scores
0
value 0.00018
scoring_system epss
scoring_elements 0.04917
published_at 2026-06-11T12:55:00Z
1
value 0.00018
scoring_system epss
scoring_elements 0.04897
published_at 2026-06-14T12:55:00Z
2
value 0.00018
scoring_system epss
scoring_elements 0.04907
published_at 2026-06-13T12:55:00Z
3
value 0.00018
scoring_system epss
scoring_elements 0.04922
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-3089
1
reference_url https://github.com/actualbudget/actual/commit/18072e1d8b5281db43ded8b21433ee177bae9dfa
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/actualbudget/actual/commit/18072e1d8b5281db43ded8b21433ee177bae9dfa
2
reference_url https://github.com/actualbudget/actual/pull/7067
reference_id 7067
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T14:54:20Z/
url https://github.com/actualbudget/actual/pull/7067
3
reference_url https://github.com/actualbudget/actual
reference_id actual
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T14:54:20Z/
url https://github.com/actualbudget/actual
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-3089
reference_id CVE-2026-3089
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-3089
5
reference_url https://fluidattacks.com/advisories/fugue
reference_id fugue
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T14:54:20Z/
url https://fluidattacks.com/advisories/fugue
6
reference_url https://github.com/actualbudget/actual/security/advisories/GHSA-27vg-33gh-4hwg
reference_id GHSA-27vg-33gh-4hwg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/actualbudget/actual/security/advisories/GHSA-27vg-33gh-4hwg
7
reference_url https://github.com/advisories/GHSA-27vg-33gh-4hwg
reference_id GHSA-27vg-33gh-4hwg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-27vg-33gh-4hwg
fixed_packages
0
url pkg:npm/%40actual-app/sync-server@26.3.0
purl pkg:npm/%40actual-app/sync-server@26.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-fwkc-x69x-f3c6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540actual-app/sync-server@26.3.0
aliases CVE-2026-3089, GHSA-27vg-33gh-4hwg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-54jg-avs1-q3ex
1
url VCID-6r6v-vmdj-u3g3
vulnerability_id VCID-6r6v-vmdj-u3g3
summary Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information. This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network. Version 26.2.1 patches the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27584
reference_id
reference_type
scores
0
value 0.00171
scoring_system epss
scoring_elements 0.38292
published_at 2026-06-13T12:55:00Z
1
value 0.00171
scoring_system epss
scoring_elements 0.3828
published_at 2026-06-14T12:55:00Z
2
value 0.00171
scoring_system epss
scoring_elements 0.3827
published_at 2026-06-12T12:55:00Z
3
value 0.00171
scoring_system epss
scoring_elements 0.38094
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27584
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27584
reference_id CVE-2026-27584
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27584
2
reference_url https://github.com/actualbudget/actual/commit/ea937d100956ca56689ff852d99c28589e2a7d88
reference_id ea937d100956ca56689ff852d99c28589e2a7d88
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:48:49Z/
url https://github.com/actualbudget/actual/commit/ea937d100956ca56689ff852d99c28589e2a7d88
3
reference_url https://github.com/actualbudget/actual/security/advisories/GHSA-m2cq-xjgm-f668
reference_id GHSA-m2cq-xjgm-f668
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-27T20:48:49Z/
url https://github.com/actualbudget/actual/security/advisories/GHSA-m2cq-xjgm-f668
4
reference_url https://github.com/advisories/GHSA-m2cq-xjgm-f668
reference_id GHSA-m2cq-xjgm-f668
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m2cq-xjgm-f668
fixed_packages
0
url pkg:npm/%40actual-app/sync-server@26.2.1
purl pkg:npm/%40actual-app/sync-server@26.2.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-54jg-avs1-q3ex
1
vulnerability VCID-fwkc-x69x-f3c6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540actual-app/sync-server@26.2.1
aliases CVE-2026-27584, GHSA-m2cq-xjgm-f668
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6r6v-vmdj-u3g3
2
url VCID-fwkc-x69x-f3c6
vulnerability_id VCID-fwkc-x69x-f3c6
summary Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: `POST /account/change-password` has no authorization check, allowing any session to overwrite the password hash; the inactive password `auth` row is never removed on migration; and the login endpoint accepts a client-supplied `loginMethod` that bypasses the server's active auth configuration. Together these allow an attacker to set a known password and authenticate as the anonymous admin account created during the multiuser migration. The three weaknesses form a single, sequential exploit chain — none produces privilege escalation on its own. Missing authorization on POST /change-password allows overwriting a password hash, but only matters if there is an orphaned row to target. Orphaned password row persisting after migration provides the target row, but is harmless without the ability to authenticate using it. Client-controlled loginMethod: "password" allows forcing password-based auth, but is useless without a known hash established by step 1. All three must be chained in sequence to achieve the impact. No single weakness independently results in privilege escalation. The single root cause is the missing authorization check on /change-password; the other two are preconditions that make it exploitable. Version 26.4.0 contains a fix.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33318
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.12878
published_at 2026-06-14T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.12791
published_at 2026-06-11T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.12886
published_at 2026-06-12T12:55:00Z
3
value 0.00041
scoring_system epss
scoring_elements 0.12896
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33318
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33318
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33318
2
reference_url https://github.com/actualbudget/actual/security/advisories/GHSA-prp4-2f49-fcgp
reference_id GHSA-prp4-2f49-fcgp
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-25T01:43:46Z/
url https://github.com/actualbudget/actual/security/advisories/GHSA-prp4-2f49-fcgp
3
reference_url https://github.com/advisories/GHSA-prp4-2f49-fcgp
reference_id GHSA-prp4-2f49-fcgp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-prp4-2f49-fcgp
4
reference_url https://actualbudget.org/blog/release-26.4.0
reference_id release-26.4.0
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-25T01:43:46Z/
url https://actualbudget.org/blog/release-26.4.0
fixed_packages
0
url pkg:npm/%40actual-app/sync-server@26.4.0
purl pkg:npm/%40actual-app/sync-server@26.4.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540actual-app/sync-server@26.4.0
aliases CVE-2026-33318, GHSA-prp4-2f49-fcgp
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fwkc-x69x-f3c6
3
url VCID-kpar-9vye-e7eg
vulnerability_id VCID-kpar-9vye-e7eg
summary Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Version 26.2.1 patches the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27638
reference_id
reference_type
scores
0
value 0.00039
scoring_system epss
scoring_elements 0.12211
published_at 2026-06-12T12:55:00Z
1
value 0.00039
scoring_system epss
scoring_elements 0.1219
published_at 2026-06-14T12:55:00Z
2
value 0.00039
scoring_system epss
scoring_elements 0.12118
published_at 2026-06-11T12:55:00Z
3
value 0.00039
scoring_system epss
scoring_elements 0.12212
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27638
1
reference_url https://github.com/actualbudget/actual/commit/9966c024cb75f57943193cac8e42f401efed9d08
reference_id 9966c024cb75f57943193cac8e42f401efed9d08
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-02T20:48:46Z/
url https://github.com/actualbudget/actual/commit/9966c024cb75f57943193cac8e42f401efed9d08
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27638
reference_id CVE-2026-27638
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27638
3
reference_url https://github.com/actualbudget/actual/security/advisories/GHSA-qmjj-p7m9-wjrv
reference_id GHSA-qmjj-p7m9-wjrv
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-02T20:48:46Z/
url https://github.com/actualbudget/actual/security/advisories/GHSA-qmjj-p7m9-wjrv
4
reference_url https://github.com/advisories/GHSA-qmjj-p7m9-wjrv
reference_id GHSA-qmjj-p7m9-wjrv
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qmjj-p7m9-wjrv
5
reference_url https://github.com/actualbudget/actual/releases/tag/v26.2.1
reference_id v26.2.1
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-02T20:48:46Z/
url https://github.com/actualbudget/actual/releases/tag/v26.2.1
fixed_packages
0
url pkg:npm/%40actual-app/sync-server@26.2.1
purl pkg:npm/%40actual-app/sync-server@26.2.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-54jg-avs1-q3ex
1
vulnerability VCID-fwkc-x69x-f3c6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540actual-app/sync-server@26.2.1
aliases CVE-2026-27638, GHSA-qmjj-p7m9-wjrv
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kpar-9vye-e7eg
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540actual-app/sync-server@26.2.0-nightly.20260105