CVE-2026-28785

Sažetak

Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, potentially allowing them to read, modify, or delete sensitive financial data for all users in the database. This issue has been patched in version 2.244.0.

Reference

https://github.com/ghostfolio/ghostfolio/releases/tag/2.244.0
https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-m5cc-7jw5-34xp

CVSS

Base:	9.8
Impact:	5.9
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Zadnje važnije ažuriranje

10-03-2026 - 19:51

Objavljeno

06-03-2026 - 05:16