Platform
other
Component
ghostfolio
Fixed in
2.245.1
CVE-2026-28680 describes a critical Server-Side Request Forgery (SSRF) vulnerability discovered in Ghostfolio, an open-source wealth management software. This flaw allows attackers to leverage the manual asset import feature to potentially access sensitive data and internal network resources. Versions of Ghostfolio prior to 2.245.0 are affected, and a patch is available in version 2.245.0.
The SSRF vulnerability in Ghostfolio presents a significant risk. An attacker can exploit this flaw to exfiltrate sensitive cloud metadata, specifically Instance Metadata Service (IMDS) data, which often contains credentials and configuration information. Furthermore, the attacker can use the SSRF to probe internal network services, potentially identifying and exploiting other vulnerabilities within the organization's infrastructure. Successful exploitation could lead to unauthorized access to sensitive financial data, compromise of cloud environments, and broader network breaches. The ability to probe internal services significantly expands the potential blast radius of this vulnerability.
CVE-2026-28680 was publicly disclosed on 2026-03-06. As of this date, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation, but the CRITICAL CVSS score suggests a high probability of exploitation if the vulnerability is exposed. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28680 is to immediately upgrade Ghostfolio to version 2.245.0 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict network access to the Ghostfolio server, limiting outbound connections to only necessary services. Implement strict input validation on the asset import feature to prevent malicious URLs. Web Application Firewalls (WAFs) can be configured to block requests to known malicious domains or patterns associated with SSRF attacks. After upgrading, verify the fix by attempting to import a test asset with a known internal or external URL to confirm that the SSRF vulnerability has been resolved.
Update Ghostfolio to version 2.245.0 or higher. This version fixes the SSRF vulnerability in the manual asset import feature.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28680 is a critical SSRF vulnerability affecting Ghostfolio versions prior to 2.245.0. It allows attackers to exfiltrate sensitive data and probe internal services via the asset import feature.
Yes, if you are running Ghostfolio version 2.245.0 or earlier, you are vulnerable to this SSRF attack. Upgrade immediately.
Upgrade Ghostfolio to version 2.245.0 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting network access and validating asset import inputs.
As of the public disclosure date, there are no confirmed reports of active exploitation, but the CRITICAL severity warrants immediate attention and mitigation.
Refer to the official Ghostfolio security advisory for detailed information and updates regarding CVE-2026-28680: [https://ghostfolio.org/security/advisories](https://ghostfolio.org/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.