{"id":"CVE-2026-28785","summary":"Ghostfolio: Time-Based Blind SQL Injection in Manual Asset Import","details":"Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical() method, potentially allowing them to read, modify, or delete sensitive financial data for all users in the database. This issue has been patched in version 2.244.0.","aliases":["GHSA-m5cc-7jw5-34xp"],"modified":"2026-04-10T05:42:29.903354Z","published":"2026-03-06T04:27:07.645Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28785.json","cwe_ids":["CWE-89"]},"references":[{"type":"WEB","url":"https://github.com/ghostfolio/ghostfolio/releases/tag/2.244.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28785.json"},{"type":"ADVISORY","url":"https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-m5cc-7jw5-34xp"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28785"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ghostfolio/ghostfolio","events":[{"introduced":"0"},{"fixed":"0fee18908f37792e38080b3b0686f81802f635aa"}]}],"versions":["1.116.0","1.117.0","1.118.0","1.120.0","1.121.0","1.122.0","1.123.0","1.124.0","1.125.0","1.126.0","1.127.0","1.128.0","1.129.0","1.130.0","1.131.0","1.131.1","1.132.0","1.132.1","1.133.0","1.134.0","1.135.0","1.136.0","1.137.0","1.138.0","1.139.0","1.140.0","1.140.1","1.140.2","1.141.0","1.141.1","1.142.0","1.143.0","1.144.0","1.145.0","1.146.0","1.146.1","1.146.2","1.146.3","1.147.0","1.148.0","1.149.0","1.150.0","1.151.0","1.152.0","1.153.0","1.154.0","1.155.0","1.156.0","1.157.0","1.158.0","1.158.1","1.159.0","1.160.0","1.161.0","1.161.1","1.162.0","1.163.0","1.164.0","1.165.0","1.166.0","1.167.0","1.168.0","1.169.0","1.170.0","1.171.0","1.172.0","1.173.0","1.174.0","1.175.0","1.176.0","1.176.1","1.176.2","1.177.0","1.178.0","1.179.0","1.179.1","1.179.2","1.179.3","1.179.4","1.179.5","1.180.0","1.180.1","1.181.0","1.181.1","1.181.2","1.182.0","1.183.0","1.184.0","1.184.1","1.184.2","1.185.0","1.186.0","1.186.1","1.186.2","1.187.0","1.188.0","1.189.0","1.190.0","1.191.0","1.192.0","1.193.0","1.194.0","1.195.0","1.196.0","1.197.0","1.198.0","1.199.0","1.199.1","1.200.0","1.201.0","1.202.0","1.203.0","1.204.0","1.204.1","1.205.0","1.205.1","1.205.2","1.206.0","1.206.1","1.206.2","1.207.0","1.208.0","1.209.0","1.210.0","1.211.0","1.212.0","1.213.0","1.214.0","1.215.0","1.216.0","1.217.0","1.218.0","1.219.0","1.220.0","1.221.0","1.222.0","1.223.0","1.224.0","1.225.0","1.226.0","1.227.0","1.227.1","1.228.0","1.228.1","1.229.0","1.230.0","1.231.0","1.232.0","1.233.0","1.234.0","1.235.0","1.236.0","1.237.0","1.238.0","1.239.0","1.240.0","1.241.0","1.242.0","1.243.0","1.244.0","1.245.0","1.246.0","1.247.0","1.248.0","1.249.0","1.250.0","1.251.0","1.252.0","1.252.1","1.252.2","1.253.0","1.254.0","1.255.0","1.256.0","1.257.0","1.258.0","1.259.0","1.260.0","1.261.0","1.262.0","1.263.0","1.264.0","1.265.0","1.266.0","1.267.0","1.268.0","1.269.0","1.270.0","1.270.1","1.271.0","1.272.0","1.273.0","1.274.0","1.275.0","1.276.0","1.277.0","1.278.0","1.279.0","1.280.0","1.280.1","1.281.0","1.282.0","1.283.0","1.283.1","1.283.2","1.283.3","1.283.4","1.283.5","1.284.0","1.285.0","1.286.0","1.287.0","1.288.0","1.289.0","1.290.0","1.291.0","1.292.0","1.293.0","1.294.0","1.295.0","1.296.0","1.297.0","1.297.1","1.297.2","1.297.3","1.297.4","1.298.0","1.299.0","1.299.1","1.300.0","1.301.0","1.301.1","1.302.0","1.303.0","1.304.0","1.305.0","2.0.0","2.1.0","2.10.0","2.100.0","2.101.0","2.102.0","2.103.0","2.103.0-alpha","2.104.0","2.104.1","2.105.0","2.106.0","2.106.0-alpha.1","2.106.0-beta.1","2.106.0-beta.2","2.106.0-beta.3","2.106.0-beta.4","2.106.0-beta.5","2.106.0-beta.6","2.107.0","2.107.1","2.108.0","2.109.0","2.11.0","2.110.0","2.111.0","2.112.0","2.113.0","2.114.0","2.115.0","2.116.0","2.117.0","2.118.0","2.119.0","2.12.0","2.120.0","2.121.0","2.121.1","2.122.0","2.123.0","2.124.0","2.124.1","2.125.0","2.126.0","2.126.1","2.127.0","2.128.0","2.129.0","2.13.0","2.130.0","2.131.0","2.132.0","2.133.0","2.133.1","2.134.0","2.135.0","2.136.0","2.137.0","2.137.1","2.138.0","2.139.0","2.139.1","2.14.0","2.140.0","2.141.0","2.142.0","2.143.0","2.144.0","2.145.0","2.145.1","2.146.0","2.147.0","2.148.0","2.149.0","2.15.0","2.150.0","2.151.0","2.152.0","2.152.1","2.153.0","2.154.0","2.155.0","2.156.0","2.157.0","2.157.1","2.158.0","2.159.0","2.16.0","2.160.0","2.161.0","2.162.0","2.162.1","2.163.0","2.164.0","2.165.0","2.166.0","2.167.0","2.168.0","2.169.0","2.17.0","2.170.0","2.171.0","2.171.0-beta.4","2.172.0","2.173.0","2.174.0","2.175.0","2.176.0","2.177.0","2.178.0","2.179.0","2.18.0","2.180.0","2.181.0","2.182.0","2.183.0","2.184.0","2.185.0","2.186.0","2.187.0","2.188.0","2.189.0","2.19.0","2.190.0","2.191.0","2.191.1","2.192.0","2.193.0","2.194.0","2.195.0","2.196.0","2.197.0","2.198.0","2.199.0","2.199.0-beta.0","2.2.0","2.20.0","2.200.0","2.201.0","2.202.0","2.203.0","2.204.0","2.205.0","2.206.0","2.207.0","2.208.0","2.209.0","2.21.0","2.210.0","2.210.1","2.211.0","2.211.0-beta.0","2.212.0","2.213.0","2.214.0","2.215.0","2.215.0-beta.1","2.216.0","2.217.0","2.217.1","2.218.0","2.219.0","2.22.0","2.220.0","2.221.0","2.222.0","2.223.0","2.224.0","2.224.1","2.224.2","2.225.0","2.226.0","2.227.0","2.228.0","2.229.0","2.23.0","2.230.0","2.231.0","2.232.0","2.233.0","2.234.0","2.235.0","2.236.0","2.237.0","2.238.0","2.239.0","2.24.0","2.240.0","2.241.0","2.242.0","2.243.0","2.25.0","2.25.1","2.26.0","2.27.0","2.27.1","2.28.0","2.29.0","2.3.0","2.30.0","2.31.0","2.32.0","2.33.0","2.34.0","2.35.0","2.36.0","2.37.0","2.38.0","2.39.0","2.4.0","2.40.0","2.41.0","2.42.0","2.43.0","2.43.1","2.44.0","2.45.0","2.46.0","2.47.0","2.48.0","2.48.1","2.49.0","2.5.0","2.50.0","2.51.0","2.52.0","2.53.0","2.53.1","2.54.0","2.55.0","2.56.0","2.57.0","2.58.0","2.59.0","2.6.0","2.60.0","2.61.0","2.61.1","2.62.0","2.63.0","2.63.1","2.63.2","2.64.0","2.65.0","2.66.0","2.66.1","2.66.2","2.66.3","2.67.0","2.68.0","2.69.0","2.7.0","2.70.0","2.71.0","2.72.0","2.73.0","2.74.0","2.75.0","2.75.1","2.76.0","2.77.0","2.77.1","2.78.0","2.79.0","2.8.0","2.80.0","2.81.0","2.82.0","2.83.0","2.84.0","2.85.0","2.86.0","2.87.0","2.88.0","2.89.0","2.9.0","2.90.0","2.91.0","2.92.0","2.93.0","2.94.0","2.95.0","2.96.0","2.97.0","2.98.0","2.99.0","V1.49.0","v.1.5.0","v0.85.0","v0.86.1","v0.87.0","v0.88.0","v0.89.0","v0.90.0","v0.91.0","v0.92.0","v0.94.0","v0.95.0","v0.96.0","v0.97.0","v0.98.0","v0.99.0","v1.0.0","v1.1.0","v1.10.0","v1.10.1","v1.100.0","v1.101.0","v1.102.0","v1.103.0","v1.104.0","v1.105.0","v1.106.0","v1.107.0","v1.108.0","v1.109.0","v1.11.0","v1.110.0","v1.111.0","v1.112.0","v1.112.1","v1.113.0","v1.114.1","v1.115.0","v1.12.0","v1.13.0","v1.14.0","v1.15.0","v1.16.0","v1.17.0","v1.18.0","v1.19.0","v1.2.0","v1.2.1","v1.20.0","v1.21.0","v1.22.0","v1.23.0","v1.23.1","v1.24.0","v1.25.0","v1.26.0","v1.27.0","v1.28.0","v1.29.0","v1.3.0","v1.30.0","v1.31.0","v1.31.1","v1.32.0","v1.33.0","v1.34.0","v1.35.0","v1.36.0","v1.37.0","v1.38.0","v1.39.0","v1.4.0","v1.40.0","v1.41.0","v1.42.0","v1.43.0","v1.44.0","v1.45.0","v1.46.0","v1.47.1","v1.48.0","v1.49.0","v1.5.0","v1.51.0","v1.52.0","v1.53.0","v1.54.0","v1.55.0","v1.56.0","v1.57.0","v1.58.0","v1.58.1","v1.59.0","v1.6.0","v1.60.0","v1.61.0","v1.62.0","v1.63.0","v1.64.0","v1.65.0","v1.66.0","v1.67.0","v1.68.0","v1.69.0","v1.7.0","v1.70.0","v1.71.0","v1.72.0","v1.73.0","v1.74.0","v1.75.0","v1.76.0","v1.77.0","v1.78.0","v1.79.0","v1.8.0","v1.80.0","v1.81.0","v1.82.0","v1.83.0","v1.84.0","v1.85.0","v1.86.0","v1.87.0","v1.88.0","v1.89.0","v1.9.0","v1.90.0","v1.91.0","v1.92.0","v1.93.0","v1.94.0","v1.95.0","v1.96.0","v1.97.0","v1.98.0","v1.99.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28785.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}]}