Description
Bernd Bestel grocy v4.6.0 was discovered to contain a SQL injection vulnerability in the product-group parameter at /stockreports/spendings. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement.
Published: 2026-06-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SQL injection (CWE‑89) occurs in the product‑group query parameter of Grocy’s /stockreports/spendings endpoint. A malicious payload can force the application to execute arbitrary SQL statements, allowing an attacker to retrieve sensitive data stored in the database. The impact is a direct compromise of confidentiality, with no documented effect on integrity or availability in the CVE description.

Affected Systems

Grocy version 4.6.0 is the only affected release mentioned. No other vendors or products are listed in the CVE payload, so only deployments running this version of the open‑source home‑shopping manager are impacted.

Risk and Exploitability

The CVSS score of 9.8 signals critical severity, while the EPSS <1% indicates a low likelihood that the flaw is being actively exploited at present. The vulnerability is not currently catalogued in CISA’s KEV list. Based on the description, the likely attack vector is remote via the HTTP endpoint /stockreports/spendings; an attacker can send a crafted product‑group parameter from an external system when the endpoint is reachable to trigger the injection. No privileged access is required beyond reaching the endpoint.

Generated by OpenCVE AI on June 18, 2026 at 03:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Grocy to the latest version that contains the fix for the SQL injection in /stockreports/spendings.
  • Restrict access to the /stockreports/spendings endpoint by enabling authentication and limiting it to authorized users.
  • Replace the vulnerable code with parameterized queries or implement input validation for the product‑group parameter to prevent arbitrary SQL execution.
  • If a patch is not immediately available, deploy a web application firewall rule that blocks or sanitizes suspicious SQL syntax for the product‑group parameter.

Generated by OpenCVE AI on June 18, 2026 at 03:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Grocy
Grocy grocy
Vendors & Products Grocy
Grocy grocy

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in Grocy 4.6.0 /stockreports/spendings

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in Grocy 4.6.0 /stockreports/spendings

Tue, 16 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description Bernd Bestel grocy v4.6.0 was discovered to contain a SQL injection vulnerability in the product-group parameter at /stockreports/spendings. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T15:19:55.812Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50890

cve-icon Vulnrichment

Updated: 2026-06-16T15:19:47.401Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:32.003

Modified: 2026-06-16T17:16:42.310

Link: CVE-2026-50890

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T09:35:47Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')