Cyber Posture

CVE-2026-28785

Critical

Published: 06 March 2026

Published
06 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0008 22.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28785 is a critical-severity SQL Injection (CWE-89) vulnerability in Ghostfol Ghostfolio. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validating inputs to the getHistorical() method to block SQL injection via bypassed symbol validation.

SI-2 Flaw Remediation good match
prevent

Ensures timely remediation of the SQL injection flaw through patching to version 2.244.0 or later.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Provides vulnerability scanning to identify SQL injection issues like CVE-2026-28785 in Ghostfolio prior to exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

SQL injection in public-facing Ghostfolio web app (getHistorical method) directly enables remote unauthenticated exploitation for initial access and full database compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, potentially allowing them to read, modify, or delete sensitive financial data for all…

more

users in the database. This issue has been patched in version 2.244.0.

Deeper analysisAI

CVE-2026-28785 is a SQL injection vulnerability (CWE-89) in Ghostfolio, an open source wealth management software. In versions prior to 2.244.0, attackers can bypass symbol validation in the getHistorical() method to execute arbitrary SQL commands, potentially compromising the database.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low complexity, no authentication requirements, and no user interaction needed. Unauthenticated attackers can achieve high-impact effects, including reading, modifying, or deleting sensitive financial data for all users in the database.

Ghostfolio has patched this issue in version 2.244.0. Security advisories recommend upgrading to this version or later for mitigation. Additional details are available in the GitHub release notes at https://github.com/ghostfolio/ghostfolio/releases/tag/2.244.0 and the security advisory at https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-m5cc-7jw5-34xp.

Details

CWE(s)
CWE-89

Affected Products

ghostfol
ghostfolio
≤ 2.244.0

CVEs Like This One

CVE-2026-28680Same product: Ghostfol Ghostfolio
CVE-2026-3180Shared CWE-89
CVE-2025-1872Shared CWE-89
CVE-2026-32458Shared CWE-89
CVE-2026-24494Shared CWE-89
CVE-2025-26875Shared CWE-89
CVE-2026-26263Shared CWE-89
CVE-2026-30531Shared CWE-89
CVE-2025-7636Shared CWE-89
CVE-2026-35614Shared CWE-89

References