CVE-2026-3089

Sažetak

Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.This issue affects prior versions of Actual Sync Server 26.3.0.

Reference

https://fluidattacks.com/advisories/fugue
https://github.com/actualbudget/actual
https://github.com/actualbudget/actual/pull/7067
https://fluidattacks.com/advisories/fugue

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

11-03-2026 - 13:53

Objavljeno

09-03-2026 - 14:16