Skip to main content

Ghostfolio

3 CVEs product

Monthly

CVE-2026-59709 MEDIUM PATCH This Month

Ghostfolio's portfolio sharing impersonation feature exposes a missing authorization check on the PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint, allowing holders of read-only share tokens to modify portfolio holding tags they should only be able to view. Any user granted read-only access to another user's portfolio can exploit this flaw to assign or remove tags on holdings, silently corrupting the victim's portfolio categorization, reporting, and analytics. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.

Authentication Bypass Ghostfolio
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-28785 CRITICAL PATCH Act Now

SQL injection in Ghostfolio before 2.244.0 via symbol validation bypass. Patch available.

RCE SQLi Ghostfolio
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-28680 CRITICAL PATCH Act Now

SSRF in Ghostfolio wealth management before 2.245.0. Patch available.

SSRF Ghostfolio
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Ghostfolio's portfolio sharing impersonation feature exposes a missing authorization check on the PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint, allowing holders of read-only share tokens to modify portfolio holding tags they should only be able to view. Any user granted read-only access to another user's portfolio can exploit this flaw to assign or remove tags on holdings, silently corrupting the victim's portfolio categorization, reporting, and analytics. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.

Authentication Bypass Ghostfolio
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL injection in Ghostfolio before 2.244.0 via symbol validation bypass. Patch available.

RCE SQLi Ghostfolio
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

SSRF in Ghostfolio wealth management before 2.245.0. Patch available.

SSRF Ghostfolio
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy