Unrated severityNVD Advisory· Published Mar 6, 2026· Updated Mar 6, 2026
Ghostfolio: Full-Read SSRF in Manual Asset Import
CVE-2026-28680
Description
Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services. This issue has been patched in version 2.245.0.
Affected products
2<2.245.0+ 1 more
- (no CPE)range: <2.245.0
- (no CPE)range: < 2.245.0
Patches
Vulnerability mechanics
References
2- github.com/ghostfolio/ghostfolio/releases/tag/2.245.0mitrex_refsource_MISC
- github.com/ghostfolio/ghostfolio/security/advisories/GHSA-hhv6-c34h-pwghmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.