Search criteria
2 vulnerabilities by ghostfol
CVE-2026-28785 (GCVE-0-2026-28785)
Vulnerability from cvelistv5 – Published: 2026-03-06 04:27 – Updated: 2026-03-06 16:07
VLAI
Title
Ghostfolio: Time-Based Blind SQL Injection in Manual Asset Import
Summary
Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, potentially allowing them to read, modify, or delete sensitive financial data for all users in the database. This issue has been patched in version 2.244.0.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/ghostfolio/ghostfolio/security… | x_refsource_CONFIRM |
| https://github.com/ghostfolio/ghostfolio/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ghostfolio | ghostfolio |
Affected:
< 2.244.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28785",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T16:00:12.447485Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T16:07:18.757Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ghostfolio",
"vendor": "ghostfolio",
"versions": [
{
"status": "affected",
"version": "\u003c 2.244.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, potentially allowing them to read, modify, or delete sensitive financial data for all users in the database. This issue has been patched in version 2.244.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T04:27:07.645Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-m5cc-7jw5-34xp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-m5cc-7jw5-34xp"
},
{
"name": "https://github.com/ghostfolio/ghostfolio/releases/tag/2.244.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ghostfolio/ghostfolio/releases/tag/2.244.0"
}
],
"source": {
"advisory": "GHSA-m5cc-7jw5-34xp",
"discovery": "UNKNOWN"
},
"title": "Ghostfolio: Time-Based Blind SQL Injection in Manual Asset Import"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28785",
"datePublished": "2026-03-06T04:27:07.645Z",
"dateReserved": "2026-03-03T14:25:19.244Z",
"dateUpdated": "2026-03-06T16:07:18.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28680 (GCVE-0-2026-28680)
Vulnerability from cvelistv5 – Published: 2026-03-06 04:26 – Updated: 2026-03-06 16:07
VLAI
Title
Ghostfolio: Full-Read SSRF in Manual Asset Import
Summary
Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services. This issue has been patched in version 2.245.0.
Severity
9.3 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/ghostfolio/ghostfolio/security… | x_refsource_CONFIRM |
| https://github.com/ghostfolio/ghostfolio/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ghostfolio | ghostfolio |
Affected:
< 2.245.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28680",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T16:00:14.619218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T16:07:29.614Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ghostfolio",
"vendor": "ghostfolio",
"versions": [
{
"status": "affected",
"version": "\u003c 2.245.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services. This issue has been patched in version 2.245.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T04:26:51.379Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-hhv6-c34h-pwgh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-hhv6-c34h-pwgh"
},
{
"name": "https://github.com/ghostfolio/ghostfolio/releases/tag/2.245.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ghostfolio/ghostfolio/releases/tag/2.245.0"
}
],
"source": {
"advisory": "GHSA-hhv6-c34h-pwgh",
"discovery": "UNKNOWN"
},
"title": "Ghostfolio: Full-Read SSRF in Manual Asset Import"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28680",
"datePublished": "2026-03-06T04:26:51.379Z",
"dateReserved": "2026-03-02T21:43:19.927Z",
"dateUpdated": "2026-03-06T16:07:29.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}