{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28680", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-02T21:43:19.927Z", "datePublished": "2026-03-06T04:26:51.379Z", "dateUpdated": "2026-03-06T16:07:29.614Z"}, "containers": {"cna": {"title": "Ghostfolio: Full-Read SSRF in Manual Asset Import", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-hhv6-c34h-pwgh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-hhv6-c34h-pwgh"}, {"name": "https://github.com/ghostfolio/ghostfolio/releases/tag/2.245.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/ghostfolio/ghostfolio/releases/tag/2.245.0"}], "affected": [{"vendor": "ghostfolio", "product": "ghostfolio", "versions": [{"version": "< 2.245.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:26:51.379Z"}, "descriptions": [{"lang": "en", "value": "Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services. This issue has been patched in version 2.245.0."}], "source": {"advisory": "GHSA-hhv6-c34h-pwgh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T16:00:14.619218Z", "id": "CVE-2026-28680", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:07:29.614Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28680", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T16:00:14.619218Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:00:15.772Z"}}], "cna": {"title": "Ghostfolio: Full-Read SSRF in Manual Asset Import", "source": {"advisory": "GHSA-hhv6-c34h-pwgh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ghostfolio", "product": "ghostfolio", "versions": [{"status": "affected", "version": "< 2.245.0"}]}], "references": [{"url": "https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-hhv6-c34h-pwgh", "name": "https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-hhv6-c34h-pwgh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ghostfolio/ghostfolio/releases/tag/2.245.0", "name": "https://github.com/ghostfolio/ghostfolio/releases/tag/2.245.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services. This issue has been patched in version 2.245.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:26:51.379Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28680", "state": "PUBLISHED", "dateUpdated": "2026-03-06T16:07:29.614Z", "dateReserved": "2026-03-02T21:43:19.927Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T04:26:51.379Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ghostfol:ghostfolio:*:*:*:*:*:*:*:*", "matchCriteriaId": "F4607553-B018-447B-8D8F-D1FBD94E3A8B", "versionEndExcluding": "2.245.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services. This issue has been patched in version 2.245.0."}, {"lang": "es", "value": "Ghostfolio es un software de gesti\u00f3n de patrimonio de c\u00f3digo abierto. Antes de la versi\u00f3n 2.245.0, un atacante puede explotar la funci\u00f3n de importaci\u00f3n manual de activos para realizar un SSRF de lectura completa, lo que les permite exfiltrar metadatos sensibles de la nube (IMDS) o sondear servicios de red internos. Este problema ha sido parcheado en la versi\u00f3n 2.245.0."}], "id": "CVE-2026-28680", "lastModified": "2026-03-10T19:53:22.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T05:16:37.343", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/ghostfolio/ghostfolio/releases/tag/2.245.0"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-hhv6-c34h-pwgh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.245.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ghostfolio", "source": "cna", "vendor": "ghostfolio"}, "product": "ghostfolio", "vendor": "ghostfolio"}], "analysis": {"en": {"generated_at": "2026-04-16T11:37:58.929730+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch by upgrading Ghostfolio to version 2.245.0 or later", "If an upgrade is impossible, temporarily disable the manual asset import feature or restrict it to trusted users", "Enforce network segmentation and firewall rules to block outbound connections from the Ghostfolio application to sensitive internal services"], "summary": {"action": "Immediate Patch", "impact": "Full-Read Server Side Request Forgery enabling attackers to read arbitrary internal URLs and cloud metadata"}, "threat_synthesis": {"affected_systems": "All installations of Ghostfolio older than version 2.245.0 are vulnerable. The issue is confined to the open\u2011source product available under the ghostfolio:ghostfolio CNA.", "description_and_impact": "Ghostfolio\u2019s manual asset import process lacks proper validation on user-supplied URLs, permitting a full\u2011read SSRF. An attacker can supply a crafted request that forces the server to fetch data from any internal or externally exposed endpoint, including instance metadata services that expose credentials and configuration. This flaw can lead to the exposure of highly sensitive information, compromising confidentiality and potentially enabling further lateral movement.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 9.3, indicating critical severity. The EPSS score is below 1%, suggesting a low current probability of exploitation, and the flaw is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is the web UI used for manual asset import; an attacker must have access to the application but does not require elevated privileges. Exploitation would involve providing a malicious URL to the import functionality, resulting in data exfiltration if the target environment hosts services such as cloud metadata endpoints or internal APIs."}}}}, "created": "2026-03-06T14:55:50.297812+00:00", "updated": "2026-04-16T11:45:26.265891+00:00", "vendors": ["ghostfolio", "ghostfolio$PRODUCT$ghostfolio"]}