CVE-2026-3089
EUVD-2026-1034009.03.2026, 14:16
Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.This issue affects prior versions of Actual Sync Server 26.3.0.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| actualbudget | actual | 𝑥 < 26.3.0 |
𝑥
= Vulnerable software versions