{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39901", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T20:32:03.012Z", "datePublished": "2026-04-08T21:02:56.280Z", "dateUpdated": "2026-04-10T20:55:42.904Z"}, "containers": {"cna": {"title": "monetr: Protected Transactions Deletable via PUT", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/monetr/monetr/security/advisories/GHSA-hqxq-hwqf-wg83", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/monetr/monetr/security/advisories/GHSA-hqxq-hwqf-wg83"}], "affected": [{"vendor": "monetr", "product": "monetr", "versions": [{"version": "< 1.12.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T21:02:56.280Z"}, "descriptions": [{"lang": "en", "value": "monetr is a budgeting application focused on planning for recurring expenses. Prior to 1.12.3, a transaction integrity flaw allows an authenticated tenant user to soft-delete synced non-manual transactions through the transaction update endpoint, despite the application explicitly blocking deletion of those transactions via the normal DELETE path. This bypass undermines the intended protection for imported transaction records and allows protected transactions to be hidden from normal views. This vulnerability is fixed in 1.12.3."}], "source": {"advisory": "GHSA-hqxq-hwqf-wg83", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T20:55:29.434428Z", "id": "CVE-2026-39901", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:55:42.904Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39901", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T20:55:29.434428Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:55:39.425Z"}}], "cna": {"title": "monetr: Protected Transactions Deletable via PUT", "source": {"advisory": "GHSA-hqxq-hwqf-wg83", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "monetr", "product": "monetr", "versions": [{"status": "affected", "version": "< 1.12.3"}]}], "references": [{"url": "https://github.com/monetr/monetr/security/advisories/GHSA-hqxq-hwqf-wg83", "name": "https://github.com/monetr/monetr/security/advisories/GHSA-hqxq-hwqf-wg83", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "monetr is a budgeting application focused on planning for recurring expenses. Prior to 1.12.3, a transaction integrity flaw allows an authenticated tenant user to soft-delete synced non-manual transactions through the transaction update endpoint, despite the application explicitly blocking deletion of those transactions via the normal DELETE path. This bypass undermines the intended protection for imported transaction records and allows protected transactions to be hidden from normal views. This vulnerability is fixed in 1.12.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T21:02:56.280Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39901", "state": "PUBLISHED", "dateUpdated": "2026-04-10T20:55:42.904Z", "dateReserved": "2026-04-07T20:32:03.012Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T21:02:56.280Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "monetr is a budgeting application focused on planning for recurring expenses. Prior to 1.12.3, a transaction integrity flaw allows an authenticated tenant user to soft-delete synced non-manual transactions through the transaction update endpoint, despite the application explicitly blocking deletion of those transactions via the normal DELETE path. This bypass undermines the intended protection for imported transaction records and allows protected transactions to be hidden from normal views. This vulnerability is fixed in 1.12.3."}], "id": "CVE-2026-39901", "lastModified": "2026-04-16T14:57:08.337", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T22:16:22.010", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/monetr/monetr/security/advisories/GHSA-hqxq-hwqf-wg83"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.12.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "monetr", "source": "cna", "vendor": "monetr"}, "product": "monetr", "vendor": "monetr"}], "analysis": {"en": {"generated_at": "2026-04-08T22:59:51.941429+00:00", "value": {"mitigation_remediation": ["Upgrade monetr to version 1.12.3 or later.", "Verify that the transaction update endpoint no longer permits deletion of protected transactions."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Deletion of Protected Transactions"}, "threat_synthesis": {"affected_systems": "The issue impacts all monetr installations running versions prior to 1.12.3. Any tenant user with authentication privileges can exploit the flaw by using the transaction update API to delete protected transactions.", "description_and_impact": "In monetr, a budgeting application, a transaction integrity flaw permits an authenticated tenant user to soft\u2011delete imported non\u2011manual transactions through the update (PUT) endpoint, even though the standard DELETE route explicitly blocks such deletions. By setting the deleted flag on these protected records, a user can hide them from normal views, thereby compromising the integrity of the application's transaction data.", "risk_and_exploitability": "The vulnerability is assigned a CVSS score of 5.7, indicating moderate severity. EPSS data is not available, and it is not listed in the CISA KEV catalog. The likely attack vector is an authenticated user leveraging the PUT endpoint; this inference is drawn from the description of the update-based deletion capability. Because authorization is required, the flaw is not publicly exploitable without tenant credentials, but it undermines internal data integrity controls and warrants prompt mitigation."}}}}, "created": "2026-04-09T08:17:46.508761+00:00", "updated": "2026-04-09T08:27:09.998826+00:00", "vendors": ["monetr", "monetr$PRODUCT$monetr"]}