CVE-2026-43872 - Vulnerability Details - OpenCVE

ReportizFlow

Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. Version 26.5.0 fixes the issue.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Actualbudget	Actual

No data.

No data.

References

Link	Providers
https://actualbudget.org/blog/release-26.5.0
https://github.com/actualbudget/actual/security/advisories/GHSA-4wf8-vhhr-4gpv

History

Mon, 15 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 12 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Actualbudget Actualbudget actual
Vendors & Products		Actualbudget Actualbudget actual

Fri, 12 Jun 2026 19:45:00 +0000

Type	Values Removed	Values Added
Description		Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. Version 26.5.0 fixes the issue.
Title		actual-server has a path traversal vulnerability
Weaknesses		CWE-22
References		https://actualbudget.org/blog/release-26.5.0 https://github.com/actualbudget/actual/security/advisories/GHSA-4wf8-vhhr-4gpv
Metrics		cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-12T19:05:42.615Z

Updated: 2026-06-15T19:28:23.704Z

Reserved: 2026-05-04T15:17:09.328Z

Link: CVE-2026-43872

Vulnrichment

Updated: 2026-06-15T18:40:32.613Z

NVD

Status : Deferred

Published: 2026-06-12T20:16:45.897

Modified: 2026-06-16T15:35:16.600

Link: CVE-2026-43872

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43872", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-04T15:17:09.328Z", "datePublished": "2026-06-12T19:05:42.615Z", "dateUpdated": "2026-06-15T19:28:23.704Z"}, "containers": {"cna": {"title": "actual-server has a path traversal vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/actualbudget/actual/security/advisories/GHSA-4wf8-vhhr-4gpv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/actualbudget/actual/security/advisories/GHSA-4wf8-vhhr-4gpv"}, {"name": "https://actualbudget.org/blog/release-26.5.0", "tags": ["x_refsource_MISC"], "url": "https://actualbudget.org/blog/release-26.5.0"}], "affected": [{"vendor": "actualbudget", "product": "actual", "versions": [{"version": "< 26.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-12T19:05:42.615Z"}, "descriptions": [{"lang": "en", "value": "Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. Version 26.5.0 fixes the issue."}], "source": {"advisory": "GHSA-4wf8-vhhr-4gpv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-15T18:33:04.507582Z", "id": "CVE-2026-43872", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T19:28:23.704Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43872", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-04T15:17:09.328Z", "datePublished": "2026-06-12T19:05:42.615Z", "dateUpdated": "2026-06-15T19:28:23.704Z"}, "containers": {"cna": {"title": "actual-server has a path traversal vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/actualbudget/actual/security/advisories/GHSA-4wf8-vhhr-4gpv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/actualbudget/actual/security/advisories/GHSA-4wf8-vhhr-4gpv"}, {"name": "https://actualbudget.org/blog/release-26.5.0", "tags": ["x_refsource_MISC"], "url": "https://actualbudget.org/blog/release-26.5.0"}], "affected": [{"vendor": "actualbudget", "product": "actual", "versions": [{"version": "< 26.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-12T19:05:42.615Z"}, "descriptions": [{"lang": "en", "value": "Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. Version 26.5.0 fixes the issue."}], "source": {"advisory": "GHSA-4wf8-vhhr-4gpv", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-43872", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-15T18:33:04.507582Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T18:40:32.613Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. Version 26.5.0 fixes the issue."}], "id": "CVE-2026-43872", "lastModified": "2026-06-16T15:35:16.600", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-06-12T20:16:45.897", "references": [{"source": "[email protected]", "url": "https://actualbudget.org/blog/release-26.5.0"}, {"source": "[email protected]", "url": "https://github.com/actualbudget/actual/security/advisories/GHSA-4wf8-vhhr-4gpv"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "[email protected]", "type": "Primary"}]}