3 matches found
CVE-2026-59709 Ghostfolio - Unauthorized Portfolio Holding Tag Modification via Missing Permission Check
Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove...
CVE-2026-59709
Ghostfolio CVE-2026-59709 affects the PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint. The root cause is a missing verification of Access.permissions when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with va...
PT-2026-56198
Name of the Vulnerable Software and Affected Versions Ghostfolio affected versions not specified Description An issue exists where the 'PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags' endpoint fails to verify the Access.permissions field when processing the Impersonation-Id header. This...