Description
Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, potentially allowing them to read, modify, or delete sensitive financial data for all users in the database. This issue has been patched in version 2.244.0.
Published: 2026-03-06
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Data Compromise via Arbitrary SQL Commands
Action: Apply Patch
AI Analysis

Impact

A time‑based blind SQL injection exists in the getHistorical() method used during manual asset import. By bypassing symbol validation, an attacker can inject and execute arbitrary SQL statements, allowing them to read, modify, or delete financial data belonging to all users. The vulnerability is a direct result of CWE‑89 and is rated with a high severity of 9.3 on the CVSS scale.

Affected Systems

The issue affects all releases of Ghostfolio prior to version 2.244.0, including the open‑source wealth management platform sold under the ghostfolio:ghostfolio vendor product.

Risk and Exploitability

The exploit probability is very low (EPSS < 1 %) yet the potential impact is severe, and Ghostfolio is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker would need access to the web interface that triggers getHistorical(), typically as a user who can initiate a manual asset import. The attack is inferred to occur through the web API, requiring the ability to submit the asset symbol field that is not properly validated.

Generated by OpenCVE AI on April 16, 2026 at 11:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ghostfolio to version 2.244.0 or later, which removes the vulnerable getHistorical() implementation.
  • Disable or restrict the Manual Asset Import feature or the getHistorical endpoint for non‑administrative users until the patch is applied.
  • Implement strict input validation or a whitelist for asset symbols to prevent future injection attempts.

Generated by OpenCVE AI on April 16, 2026 at 11:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Ghostfol
Ghostfol ghostfolio
CPEs cpe:2.3:a:ghostfol:ghostfolio:*:*:*:*:*:*:*:*
Vendors & Products Ghostfol
Ghostfol ghostfolio
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ghostfolio
Ghostfolio ghostfolio
Vendors & Products Ghostfolio
Ghostfolio ghostfolio

Fri, 06 Mar 2026 04:45:00 +0000

Type Values Removed Values Added
Description Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, potentially allowing them to read, modify, or delete sensitive financial data for all users in the database. This issue has been patched in version 2.244.0.
Title Ghostfolio: Time-Based Blind SQL Injection in Manual Asset Import
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Ghostfol Ghostfolio
Ghostfolio Ghostfolio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:07:18.757Z

Reserved: 2026-03-03T14:25:19.244Z

Link: CVE-2026-28785

cve-icon Vulnrichment

Updated: 2026-03-06T16:00:13.507Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T05:16:39.693

Modified: 2026-03-10T19:51:37.673

Link: CVE-2026-28785

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:45:26Z

Weaknesses