Unrated severityNVD Advisory· Published Mar 6, 2026· Updated Mar 6, 2026

Ghostfolio: Time-Based Blind SQL Injection in Manual Asset Import

CVE-2026-28785

Description

Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, potentially allowing them to read, modify, or delete sensitive financial data for all users in the database. This issue has been patched in version 2.244.0.

Affected products

Ghostfolio/Ghostfoliollm-create
Range: <2.244.0
ghostfolio/ghostfoliov5
Range: < 2.244.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/ghostfolio/ghostfolio/releases/tag/2.244.0mitrex_refsource_MISC
github.com/ghostfolio/ghostfolio/security/advisories/GHSA-m5cc-7jw5-34xpmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000