Search criteria
2 vulnerabilities by ghostfolio
CVE-2026-28785 (GCVE-0-2026-28785)
Vulnerability from cvelistv5 – Published: 2026-03-06 04:27 – Updated: 2026-03-06 16:07
VLAI?
Title
Ghostfolio: Time-Based Blind SQL Injection in Manual Asset Import
Summary
Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, potentially allowing them to read, modify, or delete sensitive financial data for all users in the database. This issue has been patched in version 2.244.0.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ghostfolio | ghostfolio |
Affected:
< 2.244.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28785",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T16:00:12.447485Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T16:07:18.757Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ghostfolio",
"vendor": "ghostfolio",
"versions": [
{
"status": "affected",
"version": "\u003c 2.244.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, potentially allowing them to read, modify, or delete sensitive financial data for all users in the database. This issue has been patched in version 2.244.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T04:27:07.645Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-m5cc-7jw5-34xp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-m5cc-7jw5-34xp"
},
{
"name": "https://github.com/ghostfolio/ghostfolio/releases/tag/2.244.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ghostfolio/ghostfolio/releases/tag/2.244.0"
}
],
"source": {
"advisory": "GHSA-m5cc-7jw5-34xp",
"discovery": "UNKNOWN"
},
"title": "Ghostfolio: Time-Based Blind SQL Injection in Manual Asset Import"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28785",
"datePublished": "2026-03-06T04:27:07.645Z",
"dateReserved": "2026-03-03T14:25:19.244Z",
"dateUpdated": "2026-03-06T16:07:18.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28680 (GCVE-0-2026-28680)
Vulnerability from cvelistv5 – Published: 2026-03-06 04:26 – Updated: 2026-03-06 16:07
VLAI?
Title
Ghostfolio: Full-Read SSRF in Manual Asset Import
Summary
Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services. This issue has been patched in version 2.245.0.
Severity ?
9.3 (Critical)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ghostfolio | ghostfolio |
Affected:
< 2.245.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28680",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T16:00:14.619218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T16:07:29.614Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ghostfolio",
"vendor": "ghostfolio",
"versions": [
{
"status": "affected",
"version": "\u003c 2.245.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services. This issue has been patched in version 2.245.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T04:26:51.379Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-hhv6-c34h-pwgh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-hhv6-c34h-pwgh"
},
{
"name": "https://github.com/ghostfolio/ghostfolio/releases/tag/2.245.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ghostfolio/ghostfolio/releases/tag/2.245.0"
}
],
"source": {
"advisory": "GHSA-hhv6-c34h-pwgh",
"discovery": "UNKNOWN"
},
"title": "Ghostfolio: Full-Read SSRF in Manual Asset Import"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28680",
"datePublished": "2026-03-06T04:26:51.379Z",
"dateReserved": "2026-03-02T21:43:19.927Z",
"dateUpdated": "2026-03-06T16:07:29.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}