CVE-2026-28680

Critical

Published: 06 March 2026

Published

06 March 2026

Modified

10 March 2026

KEV Added

—

Patch

—

CVSS Score 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

EPSS Score 0.0005 16.4th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28680 is a critical-severity SSRF (CWE-918) vulnerability in Ghostfol Ghostfolio. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates user-supplied inputs in the manual asset import feature to block malicious URLs that enable SSRF exploitation.

AC-4 Information Flow Enforcement good match

prevent

Enforces logical information flow control policies to prevent the server from making unauthorized requests to internal endpoints or cloud metadata services.

SC-7 Boundary Protection good match

prevent

Monitors and controls application outbound network traffic at boundaries to block SSRF-induced requests to sensitive internal resources.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1046 Network Service Discovery Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

attack.mitre.org →

T1522 Cloud Instance Metadata API Credential Access

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

attack.mitre.org →

T1552.005 Cloud Instance Metadata API Credential Access

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

attack.mitre.org →

Why these techniques?

SSRF in public-facing app directly enables T1190 exploitation; facilitates internal service probing (T1046), cloud metadata API access (T1522), and IMDS credential exfiltration (T1552.005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services. This…

issue has been patched in version 2.245.0.

Deeper analysisAI

CVE-2026-28680 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting Ghostfolio, an open source wealth management software. Prior to version 2.245.0, the manual asset import feature allows a full-read SSRF, enabling attackers to make unauthorized requests from the server. The vulnerability carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N), indicating critical severity due to high confidentiality impact and changed scope.

A remote, unauthenticated attacker can exploit this vulnerability by abusing the manual asset import functionality to force the Ghostfolio server to send requests to arbitrary internal or external endpoints. Successful exploitation allows exfiltration of sensitive cloud metadata, such as Instance Metadata Service (IMDS) data, or probing of internal network services, potentially leading to further compromise in cloud environments.

The issue has been addressed in Ghostfolio version 2.245.0, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to this version or later to mitigate the vulnerability, with further technical details available in the GitHub advisory (GHSA-hhv6-c34h-pwgh) and release tag (2.245.0).