← back
CVE-2026-28680

Ghostfolio: Full-Read SSRF in Manual Asset Import

CVSS 9.3 CRITICALEPSS 0.2%CWE-918
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.3EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
06 Mar 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services. This issue has been patched in version 2.245.0.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Affected products
ghostfolio · ghostfolio