Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
Ghostfolio Prior to 2.244.0 Allows SQL Attacks on User Data
CVE-2026-28785
Summary
Ghostfolio users are at risk of a serious data breach if they are using a version prior to 2.244.0. An attacker can potentially access, alter, or delete sensitive financial information for all users. Update to version 2.244.0 to fix this vulnerability.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| ghostfol | ghostfolio | <= 2.244.0 | – |
Original title
Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, pot...
Original description
Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, potentially allowing them to read, modify, or delete sensitive financial data for all users in the database. This issue has been patched in version 2.244.0.
nvd CVSS4.0
9.3
Vulnerability type
CWE-89
SQL Injection
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026