{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28680", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-02T21:43:19.927Z", "datePublished": "2026-03-06T04:26:51.379Z", "dateUpdated": "2026-03-06T16:07:29.614Z"}, "containers": {"cna": {"title": "Ghostfolio: Full-Read SSRF in Manual Asset Import", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-hhv6-c34h-pwgh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-hhv6-c34h-pwgh"}, {"name": "https://github.com/ghostfolio/ghostfolio/releases/tag/2.245.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/ghostfolio/ghostfolio/releases/tag/2.245.0"}], "affected": [{"vendor": "ghostfolio", "product": "ghostfolio", "versions": [{"version": "< 2.245.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:26:51.379Z"}, "descriptions": [{"lang": "en", "value": "Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services. This issue has been patched in version 2.245.0."}], "source": {"advisory": "GHSA-hhv6-c34h-pwgh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T16:00:14.619218Z", "id": "CVE-2026-28680", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:07:29.614Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28680", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T16:00:14.619218Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:00:15.772Z"}}], "cna": {"title": "Ghostfolio: Full-Read SSRF in Manual Asset Import", "source": {"advisory": "GHSA-hhv6-c34h-pwgh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ghostfolio", "product": "ghostfolio", "versions": [{"status": "affected", "version": "< 2.245.0"}]}], "references": [{"url": "https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-hhv6-c34h-pwgh", "name": "https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-hhv6-c34h-pwgh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ghostfolio/ghostfolio/releases/tag/2.245.0", "name": "https://github.com/ghostfolio/ghostfolio/releases/tag/2.245.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services. This issue has been patched in version 2.245.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:26:51.379Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28680", "state": "PUBLISHED", "dateUpdated": "2026-03-06T16:07:29.614Z", "dateReserved": "2026-03-02T21:43:19.927Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T04:26:51.379Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ghostfol:ghostfolio:*:*:*:*:*:*:*:*", "matchCriteriaId": "F4607553-B018-447B-8D8F-D1FBD94E3A8B", "versionEndExcluding": "2.245.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services. This issue has been patched in version 2.245.0."}, {"lang": "es", "value": "Ghostfolio es un software de gesti\u00f3n de patrimonio de c\u00f3digo abierto. Antes de la versi\u00f3n 2.245.0, un atacante puede explotar la funci\u00f3n de importaci\u00f3n manual de activos para realizar un SSRF de lectura completa, lo que les permite exfiltrar metadatos sensibles de la nube (IMDS) o sondear servicios de red internos. Este problema ha sido parcheado en la versi\u00f3n 2.245.0."}], "id": "CVE-2026-28680", "lastModified": "2026-03-10T19:53:22.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T05:16:37.343", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/ghostfolio/ghostfolio/releases/tag/2.245.0"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-hhv6-c34h-pwgh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.245.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ghostfolio", "source": "cna", "vendor": "ghostfolio"}, "product": "ghostfolio", "vendor": "ghostfolio"}], "created": "2026-03-06T14:55:50.297812+00:00", "updated": "2026-03-06T14:55:50.297890+00:00", "vendors": ["ghostfolio", "ghostfolio$PRODUCT$ghostfolio"]}