Q: Root Cause? (CWE/Flaw)

🛡️ **Root Cause**: **CWE-918** (Server-Side Request Forgery). The flaw lies in the **manual asset import** function, which fails to properly validate URLs, allowing the server to make unintended requests.

Q: Who is affected? (Versions/Components)

👥 **Affected**: **Ghostfolio** (Personal Wealth Management Software). Specifically, versions **prior to 2.245.0**. 📦 Product: ghostfolio.

Q: What can hackers do? (Privileges/Data)

🕵️ **Attacker Capabilities**: Can perform **full read** of server-side requests. 📉 **Impact**: High Confidentiality loss (C:H), Low Integrity impact (I:L). Can expose **cloud metadata** or probe **internal networks**.

Q: Is exploitation threshold high? (Auth/Config)

🔓 **Exploitation Threshold**: **LOW**. CVSS indicates **AV:N** (Network), **AC:L** (Low Complexity), **PR:N** (No Privileges), **UI:N** (No User Interaction). Easy to exploit remotely.

Q: Is there a public Exp? (PoC/Wild Exploitation)

💣 **Public Exploit**: **No**. The `pocs` field is empty. While the advisory is public, no specific PoC or wild exploitation code is currently available in the data.

Q: How to self-check? (Features/Scanning)

🔍 **Self-Check**: Scan for **Ghostfolio** instances running version **< 2.245.0**. Look for the **manual asset import** endpoint. Use SSRF scanners to test if the server fetches internal IPs or cloud metadata endpoints.

Q: Is it fixed officially? (Patch/Mitigation)

✅ **Official Fix**: **Yes**. Fixed in version **2.245.0**. 📝 Reference: [GitHub Advisory GHSA-hhv6-c34h-pwgh](https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-hhv6-c34h-pwgh).

Q: What if no patch? (Workaround)

🚧 **No Patch Workaround**: If you cannot upgrade, **disable** or restrict the **manual asset import** feature. Implement strict **URL allowlisting** or **network segmentation** to block internal/cloud metadata access.

Q: Is it urgent? (Priority Suggestion)

⚡ **Urgency**: **HIGH**. CVSS Score implies significant risk (S:C, C:H). With **No Auth** required and **Low Complexity**, immediate patching to **v2.245.0+** is strongly recommended.

Question 1

What is this vulnerability? (Essence + Consequences)

Accepted Answer

🚨 **Essence**: Ghostfolio < 2.245.0 suffers from **SSRF** (Server-Side Request Forgery).…

Question 2

Root Cause? (CWE/Flaw)

Accepted Answer

🛡️ **Root Cause**: **CWE-918** (Server-Side Request Forgery). The flaw lies in the **manual asset import** function, which fails to properly validate URLs, allowing the server to make unintended requests.

Question 3

Who is affected? (Versions/Components)

Accepted Answer

👥 **Affected**: **Ghostfolio** (Personal Wealth Management Software). Specifically, versions **prior to 2.245.0**. 📦 Product: ghostfolio.

Question 4

What can hackers do? (Privileges/Data)

Accepted Answer

🕵️ **Attacker Capabilities**: Can perform **full read** of server-side requests. 📉 **Impact**: High Confidentiality loss (C:H), Low Integrity impact (I:L). Can expose **cloud metadata** or probe **internal networks**.

Question 5

Is exploitation threshold high? (Auth/Config)

Accepted Answer

🔓 **Exploitation Threshold**: **LOW**. CVSS indicates **AV:N** (Network), **AC:L** (Low Complexity), **PR:N** (No Privileges), **UI:N** (No User Interaction). Easy to exploit remotely.

Question 6

Is there a public Exp? (PoC/Wild Exploitation)

Accepted Answer

💣 **Public Exploit**: **No**. The `pocs` field is empty. While the advisory is public, no specific PoC or wild exploitation code is currently available in the data.

Question 7

How to self-check? (Features/Scanning)

Accepted Answer

🔍 **Self-Check**: Scan for **Ghostfolio** instances running version **< 2.245.0**. Look for the **manual asset import** endpoint. Use SSRF scanners to test if the server fetches internal IPs or cloud metadata endpoints.

Question 8

Is it fixed officially? (Patch/Mitigation)

Accepted Answer

✅ **Official Fix**: **Yes**. Fixed in version **2.245.0**. 📝 Reference: [GitHub Advisory GHSA-hhv6-c34h-pwgh](https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-hhv6-c34h-pwgh).

Question 9

What if no patch? (Workaround)

Accepted Answer

🚧 **No Patch Workaround**: If you cannot upgrade, **disable** or restrict the **manual asset import** feature. Implement strict **URL allowlisting** or **network segmentation** to block internal/cloud metadata access.

Question 10

Is it urgent? (Priority Suggestion)

Accepted Answer

⚡ **Urgency**: **HIGH**. CVSS Score implies significant risk (S:C, C:H). With **No Auth** required and **Low Complexity**, immediate patching to **v2.245.0+** is strongly recommended.

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-28680 — AI Deep Analysis Summary

Q1What is this vulnerability? (Essence + Consequences)

Q2Root Cause? (CWE/Flaw)

Q3Who is affected? (Versions/Components)

Q4What can hackers do? (Privileges/Data)

Q5Is exploitation threshold high? (Auth/Config)

Q6Is there a public Exp? (PoC/Wild Exploitation)

Q7How to self-check? (Features/Scanning)

Q8Is it fixed officially? (Patch/Mitigation)

Q9What if no patch? (Workaround)

Q10Is it urgent? (Priority Suggestion)

Continue exploring