VYPR
Unrated severityNVD Advisory· Published Mar 6, 2026· Updated Mar 6, 2026

Ghostfolio: Full-Read SSRF in Manual Asset Import

CVE-2026-28680

Description

Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services. This issue has been patched in version 2.245.0.

Affected products

2
  • Ghostfolio/Ghostfoliollm-fuzzy2 versions
    <2.245.0+ 1 more
    • (no CPE)range: <2.245.0
    • (no CPE)range: < 2.245.0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.