Actual Budget Server Exposed: 1 Critical, 14 High-Severity Vulnerabilities Found in Latest Image

A critical security scan of the official Actual Budget server image has uncovered a dangerous cluster of 15 unpatched vulnerabilities, including one rated Critical and 14 rated High. The scan, dated March 13, 2026, reveals that the `actualbudget/actual-server:latest` container is currently shipping with exploitable flaws in core system libraries and key application dependencies, leaving deployments at immediate risk of heap corruption, denial-of-service attacks, and potential remote code execution.

The most severe finding is CVE-2023-45853, a Critical integer overflow vulnerability in the `zlib1g` compression library for which no fixed version is currently available. This flaw could lead to heap-based buffer overflows. The scan also flags a High-severity integer overflow in the `libc-bin` package (CVE-2026-0861) and multiple High-severity issues in application-level dependencies like `axios` (CVE-2026-25639) and `express-rate-limit` (CVE-2026-30827), which are susceptible to denial-of-service attacks. Notably, several of these vulnerabilities, including the critical zlib flaw, are marked with 'No fix' in the available version column, indicating patches are not yet upstreamed or applied.

This vulnerability profile presents a significant operational and data integrity risk for any organization or individual running the default Actual Budget server. The presence of unfixed flaws in foundational system libraries like glibc and zlib exposes the entire application stack to potential compromise. Administrators are under pressure to assess their exposure, as the container's current state could allow attackers to crash services, corrupt financial data in memory, or gain unauthorized access. The situation underscores the persistent security challenges in maintaining open-source financial software and containerized deployments.