These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A path traversal vulnerability was discovered in Actual, an open-source personal finance application, prior to version 26.5.0. The vulnerability affects several endpoints and has been fixed in version 26.5.0.
A vulnerability was discovered in the Actual open-source personal finance application for macOS, specifically in version 25.x, which is built on Electron 39.2.7. The issue arises from the ELECTRON_RUN_AS_NODE fuse not being disabled, allowing an attacker to invoke the signed Actual.app binary with the ELECTRON_RUN_AS_NODE=1 environment variable. This action converts the application into a Node.js REPL cap [truncated]
A vulnerability was discovered in Actual Budget's sync-server versions <= 26.4.0. The `POST /openid/config` endpoint exposes the full OpenID Connect configuration, including the OAuth2 `client_secret`, to any caller who knows the bootstrap password. The endpoint lacks authentication and rate limiting, making the bootstrap password brute-forceable. This issue was fixed in version 26.5.0.