CVE-2026-43872
Received Received - Intake
Path Traversal in Actual Finance App

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. Version 26.5.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-43872
EUVD
EUVD-2026-36548
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
actual actual to 26.5.0 (exc)
actualbudget actual to 26.4.0 (inc)
actualbudget actual 26.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this path traversal vulnerability in the Actual Budget application, you should upgrade the 'actual' npm package to version 26.5.0 or later, as this version contains the fix.

Executive Summary

CVE-2026-43872 is a path traversal vulnerability found in the Actual Budget application, specifically in the actual-server component. This vulnerability affects versions up to and including 26.4.0. It occurs because several endpoints improperly handle user input, allowing an attacker to manipulate pathnames to access files and directories outside of the intended restricted areas.

This issue is classified as a medium severity vulnerability and is related to CWE-22, which is the improper limitation of a pathname to a restricted directory. The vulnerability was fixed in version 26.5.0 of the application.

Impact Analysis

This vulnerability can allow an attacker to access files and directories outside the intended restricted areas of the Actual Budget application server. By exploiting this path traversal flaw, an attacker might read sensitive files or data that should be protected, potentially leading to unauthorized information disclosure.

Since the vulnerability does not require user interaction and can be exploited remotely, it increases the risk of exposure of sensitive personal finance data managed by the application.

Compliance Impact

The provided information does not specify how the path traversal vulnerability in the Actual Budget application impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves path traversal in several endpoints of the Actual Budget application versions up to 26.4.0. Detection typically involves testing these endpoints for improper handling of pathname inputs that allow traversal outside restricted directories.

A common approach is to send crafted HTTP requests to the affected endpoints with path traversal payloads such as "../" sequences to see if the server returns files or directories outside the intended scope.

Example commands using curl to test for path traversal might include:

  • curl -v "http://<target>/endpoint?file=../../../../etc/passwd"
  • curl -v "http://<target>/endpoint?path=../secret/config.json"

Replace <target> and endpoint with the actual server address and vulnerable endpoint paths. Successful retrieval of files outside the intended directory indicates the presence of the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43872. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart