QwikSec

Security Database

CVE

CWE

Training

CVE-2026-28785

Published: Mar 6, 2026

Modified: Mar 6, 2026

PUBLISHED

Description

Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, potentially allowing them to read, modify, or delete sensitive financial data for all users in the database. This issue has been patched in version 2.244.0.

Vendor	Product	Versions
ghostfolio	ghostfolio	affected `< 2.244.0`

Weaknesses (CWE)

References

https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-m5cc-7jw5-34xp

x_refsource_CONFIRM

https://github.com/ghostfolio/ghostfolio/releases/tag/2.244.0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.