Cyber Resilience

CVE-2026-28785

Critical

Published: 06 March 2026

Published
06 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 28.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-28785 is a critical-severity SQL Injection (CWE-89) vulnerability in Ghostfol Ghostfolio. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-28785 is a SQL injection vulnerability (CWE-89) in Ghostfolio, an open source wealth management software. In versions prior to 2.244.0, attackers can bypass symbol validation in the getHistorical() method to execute arbitrary SQL commands, potentially compromising the database.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low complexity, no authentication requirements, and no user interaction needed. Unauthenticated attackers can achieve high-impact effects, including reading, modifying, or deleting sensitive financial data for all users in the database.

Ghostfolio has patched this issue in version 2.244.0. Security advisories recommend upgrading to this version or later for mitigation. Additional details are available in the GitHub release notes at https://github.com/ghostfolio/ghostfolio/releases/tag/2.244.0 and the security advisory at https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-m5cc-7jw5-34xp.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, potentially allowing them to read, modify, or delete sensitive financial data for all…

more

users in the database. This issue has been patched in version 2.244.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in public-facing Ghostfolio web app (getHistorical method) directly enables remote unauthenticated exploitation for initial access and full database compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28680Same product: Ghostfol Ghostfolio
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89

Affected Assets

ghostfol
ghostfolio
≤ 2.244.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validating inputs to the getHistorical() method to block SQL injection via bypassed symbol validation.

prevent

Ensures timely remediation of the SQL injection flaw through patching to version 2.244.0 or later.

detect

Provides vulnerability scanning to identify SQL injection issues like CVE-2026-28785 in Ghostfolio prior to exploitation.

References