CVE-2026-28785 Ghostfolio — Exploit & Vulnerability Details CRITICAL

Parameter	Value
CVSS	9.3 (CRITICAL)
Fixed In	2.244.0
Type	CWE-89 (SQL Injection (SQL-инъекция))
Vendor	Ghostfolio
Public PoC	No

Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, potentially allowing them to read, modify, or delete sensitive financial data for all users in the database. This issue has been patched in version 2.244.0.

Attack Parameters

Attack Vector

Network

Атака возможна удалённо

Attack Complexity

Low

Легко эксплуатировать

Attack Requirements

None

Нет дополнительных условий

Privileges Required

None

Права не нужны

User Interaction

None

Не нужно действие пользователя

Impact Assessment

Confidentiality

High

Полная утечка данных

Integrity

High

Полная модификация данных

Availability

None

Нет нарушения работы

CVSS Vector v4.0

Weakness Type (CWE)

CWE-89 SQL Injection (SQL-инъекция)

References 2

https://github.com/ghostfolio/ghostfolio/releases/tag/2.244.0

security-advisories@github.com

https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-m5cc-7jw5-34xp

security-advisories@github.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-28680

Ghostfolio

9.3

Menu

CVE-2026-28785

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

References 2

Related Vulnerabilities

CVE-2026-28680

CVE Details

Editor's Choice