Security Advisories for @actual-app/sync-server in npm
High
19 days ago
@actual-app/sync-server: Disabled OpenID users keep access through existing session tokens
npm
@actual-app/sync-server
Moderate
19 days ago
@actual-app/sync-server's missing authorization on GET /secret/:name allows non-admin OpenID users to enumerate admin-configured bank-sync secrets
npm
@actual-app/sync-server
High
3 months ago
Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers
npm
@actual-app/sync-server
Moderate
4 months ago
Actual Sync Server has an Authenticated Path Traversal
npm
@actual-app/sync-server
Moderate
4 months ago
@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
npm
@actual-app/sync-server
Critical
5 months ago
ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints
npm
@actual-app/sync-server
Moderate
9 months ago
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
npm
@actual-app/sync-server