actual — Vulnerabilities & Security Advisories 3

All 3 CVE vulnerabilities found in actual, with AI-generated Chinese analysis, references, and POCs.

CVE ID	Title	CVSS	Severity	Published
CVE-2026-33318	Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers CWE-284	8.8	High	2026-04-24
CVE-2026-27638	ActualBudget missing authorization in sync endpoints allows cross-user budget file access in multi-user mode CWE-862	8.1^AI	High^AI	2026-02-26
CVE-2026-27584	ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints CWE-306	7.5	-	2026-02-24

All 3 known CVE vulnerabilities affecting actual with full Chinese analysis, references, and POCs where available.