CVE-2026-3089 in Sync Serverinformação

Sumário

de MITRE • 09/03/2026

Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.This issue affects prior versions of Actual Sync Server 26.3.0.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsável

Fluid Attacks

Reservar

24/02/2026

Divulgação

09/03/2026

Moderação

aceite

Entrada

VDB-349831

CPE

pronto

CWE

CWE-22 (confirmado)

CVSS

5.4 (VulDB)

EPSS

0.00018

KEV

não

Atividades

muito baixo

Fontes

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-3089
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-3089
CVE Details	https://www.cvedetails.com/cve/CVE-2026-3089/

◂ Voltar Visão Geral Próximo ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!