Home / Vulnerability Intelligence / CVE-2026-28680

CVE-2026-28680 - Vulnerability Analysis

CriticalCVSS: 9.3

Last Updated: March 9, 2026

Ghostfolio - Server Side Request Forgery

Published: March 6, 2026Updated: March 9, 2026Remote Exploitable

Overview

Ghostfolio < 2.245.0 contains a server side request forgery caused by the manual asset import feature, letting attackers exfiltrate sensitive cloud metadata or probe internal network services, exploit requires use of manual asset import.

Severity & Score

Severity: Critical

CVSS Score: 9.3

EPSS Score: 3.0%(Probability of exploitation in next 30 days)

Impact

Attackers can exfiltrate sensitive cloud metadata or probe internal network services, risking data exposure and network reconnaissance.

Mitigation

Update to version 2.245.0.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 6, 2026

🔴 CVE-2026-28680 - Critical (9.3) Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal n... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28680/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28680
Severity: Critical
CVSS Score: 9.3
Type: server_side_request_forgery
Status: unconfirmed
EPSS: 3.0%
Social Posts: 1

CWE

CWE-918

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

EPSS Score

3.0%Probability of exploitation in the next 30 days