Impact
SQL injection (CWE‑89) occurs in the product‑group query parameter of Grocy’s /stockreports/spendings endpoint. A malicious payload can force the application to execute arbitrary SQL statements, allowing an attacker to retrieve sensitive data stored in the database. The impact is a direct compromise of confidentiality, with no documented effect on integrity or availability in the CVE description.
Affected Systems
Grocy version 4.6.0 is the only affected release mentioned. No other vendors or products are listed in the CVE payload, so only deployments running this version of the open‑source home‑shopping manager are impacted.
Risk and Exploitability
The CVSS score of 9.8 signals critical severity, while the EPSS <1% indicates a low likelihood that the flaw is being actively exploited at present. The vulnerability is not currently catalogued in CISA’s KEV list. Based on the description, the likely attack vector is remote via the HTTP endpoint /stockreports/spendings; an attacker can send a crafted product‑group parameter from an external system when the endpoint is reachable to trigger the injection. No privileged access is required beyond reaching the endpoint.
OpenCVE Enrichment