CVE-2026-28785 — CRITICAL (9.8)

Q: How severe is CVE-2026-28785?

CVE-2026-28785 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2026-28785?

Check the references section above for vendor advisories and patch information. Affected products include: Ghostfol Ghostfolio.

Vulnerability Description

Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, potentially allowing them to read, modify, or delete sensitive financial data for all users in the database. This issue has been patched in version 2.244.0.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Ghostfol	Ghostfolio	< 2.244.0

Related Weaknesses (CWE)

CWE-89

References

https://github.com/ghostfolio/ghostfolio/releases/tag/2.244.0ProductRelease Notes
https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-m5cc-7jw5-34xpMitigationPatchVendor Advisory

FAQ

What is CVE-2026-28785?

CVE-2026-28785 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, potent...

How severe is CVE-2026-28785?

CVE-2026-28785 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-28785?

Check the references section above for vendor advisories and patch information. Affected products include: Ghostfol Ghostfolio.