PatchSiren cyber security CVE debrief
CVE-2026-43872 actualbudget CVE debrief
A path traversal vulnerability was discovered in Actual, an open-source personal finance application, prior to version 26.5.0. The vulnerability affects several endpoints and has been fixed in version 26.5.0.
- Vendor
- actualbudget
- Product
- actual
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Actual open-source personal finance application versions prior to 26.5.0.
Technical summary
The vulnerability is a path traversal issue (CWE-22) with a CVSS score of 5.3 and a severity of MEDIUM. It allows an attacker to traverse the file system, potentially leading to unauthorized access to sensitive files.
Defensive priority
MEDIUM
Recommended defensive actions
- Update Actual to version 26.5.0 or later to fix the issue.
- Review and monitor endpoint access to prevent potential exploitation.
Evidence notes
The CVE record was published on 2026-06-12T20:16:45.897Z and has not been modified since. The vulnerability was reported via [email protected].
Official resources
CVE-2026-43872 was published on 2026-06-12T20:16:45.897Z.