CVE-2026-28680 CRITICAL

CVE-2026-28680: Ghostfolio: Full-Read SSRF in Manual Asset Import

Vendor Ghostfolio

Product ghostfolio

Weakness CWE-918 · SSRF

Published March 6, 2026

Last update March 6, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services. This issue has been patched in version 2.245.0.

Key dates

02Disclosure timeline

March 6, 2026 CVE published

March 6, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-28680 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

04Related CVE

CVE-2023-46729 Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint CVE-2026-7025 Typecho Ping Back Service Endpoint Service.php sendPingHandle server-side request forgery CVE-2024-31288 WordPress RapidLoad plugin <= 2.2.11 - Server Side Request Forgery (SSRF) vulnerability CVE-2025-27777 Applio allows SSRF and file write in model_download.py CVE-2026-33237 AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation