CVE-2026-39901 MEDIUM

CVE-2026-39901: monetr: Protected Transactions Deletable via PUT

Vendor Monetr
Product monetr
Weakness CWE-285
Published April 8, 2026
Last update April 10, 2026
View on NVD All CVEs

CVSS base score

5.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

monetr is a budgeting application focused on planning for recurring expenses. Prior to 1.12.3, a transaction integrity flaw allows an authenticated tenant user to soft-delete synced non-manual transactions through the transaction update endpoint, despite the application explicitly blocking deletion of those transactions via the normal DELETE path. This bypass undermines the intended protection for imported transaction records and allows protected transactions to be hidden from normal views. This vulnerability is fixed in 1.12.3.

Key dates

02Disclosure timeline

April 8, 2026 CVE published
April 10, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-3921 PeproDev Ultimate Profile Solutions 1.9.1 - 7.5.2 - Missing Authorization to Limited Unauthenticated Arbitrary User Meta Update via handel_ajax_req Function CVE-2026-13511 VoltAgent Memory REST API memory.handlers.ts handleGetMemoryConversation improper authorization CVE-2014-2349 Emerson DeltaV Use of Improper Authorization CVE-2021-25507 CVE-2026-3761 SourceCodester Client Database Management System Endpoint superadmin_user_delete.php improper authorization