Actual Budget Server Exposed: 6 Critical & High Vulnerabilities Found in Latest Image

A security scan of the latest Actual Budget server image has uncovered six new vulnerabilities, including two rated as critical. The scan, dated March 31, 2026, reveals that the `actualbudget/actual-server:latest` container is running outdated and vulnerable packages, exposing the popular open-source budgeting platform to potential arbitrary code execution, denial-of-service attacks, and prototype pollution exploits.

The most severe flaws are two critical vulnerabilities (CVE-2026-33863, CVE-2026-33864) in the `convict` configuration library (version 6.2.4), which are fixed in version 6.2.5. These prototype pollution vulnerabilities could allow attackers to manipulate the application's behavior. Additionally, four high-severity vulnerabilities were found, including a flaw in `libsystemd0` (CVE-2026-29111) that could lead to arbitrary code execution or denial of service, and a buffer overflow in `libtinfo6` (CVE-2025-69720). Notably, fixes are not yet available for these high-severity system-level packages.

This cluster of unpatched vulnerabilities in a core financial application server creates a significant attack surface. Users and administrators running the default `latest` image are at immediate risk. The presence of critical flaws in a core dependency like `convict`, combined with unfixed high-severity issues in the underlying OS layer, signals urgent pressure on the Actual Budget project to release a patched container image and for users to scrutinize their deployment security posture.