Summary
@actual-app/sync-server's missing authorization on GET /secret/:name allows non-admin OpenID users to enumerate admin-configured bank-sync secrets
References
Related vulnerabilities
All Supply chain →- LOWGHSA-MWR2-WMGP-CRJ6
OpenBao's System Backend allows Unauthorized Management of the containing Namespace
- MEDIUMGHSA-FCVX-5CXC-V5P8
OpenClaw: Slack reaction events could ignore reaction notification settings
- MEDIUMGHSA-JR45-52CW-69H5
NL Portal Backend Libraries: Document contents remained downloadable by any logged-in user (incomplete fix of CVE-2026-49463)
- HIGHGHSA-WV27-2VQP-J7G5
Gogs has the ability to import local repositories via Mirror Settings
- HIGHGHSA-PWX3-QCGW-VH7H
Gogs Vulnerable to CSRF Leading to Organization Owner Takeover
- HIGHGHSA-P9F5-H3RX-J5QW
Gogs Missing Authorization in Attachment Download