CVE-2026-28785

Ghostfolio prior to version 2.244.0 is vulnerable to arbitrary SQL execution via the getHistorical() method due to symbol validation bypass, potentially allowing read/modify/delete of sensitive financial data for all users. Affected software: Ghostfolio open source wealth management. Root cause: ...

CVE-2026-28785 Ghostfolio: Time-Based Blind SQL Injection in Manual Asset Import

Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical method, potentially allowing them to read, modify, or delete sensitive financial data for all users in the...

EUVD-2026-9990

Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata IMDS or probe internal network services. This issue has been patched in...

CVE-2026-28680 Ghostfolio: Full-Read SSRF in Manual Asset Import

Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata IMDS or probe internal network services. This issue has been patched in...

CVE-2026-28680

CVE-2026-28680 affects Ghostfolio before version 2.245.0. An attacker can abuse the manual asset import feature to perform a full-read SSRF, enabling exfiltration of sensitive cloud metadata (IMDS) and the ability to probe internal network services. The vulnerability exhibits high confidentiality...

CVE-2026-28680 Ghostfolio: Full-Read SSRF in Manual Asset Import

Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata IMDS or probe internal network services. This issue has been patched in...

CVE-2026-28680 Ghostfolio: Full-Read SSRF in Manual Asset Import

Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata IMDS or probe internal network services. This issue has been patched in...

CVE-2026-28502

WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution RCE vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted ZIP archive...

CVE-2026-28507

CVE-2026-28507 affects Idno (social publishing platform). Public disclosures and Red Hat/Veracode entries describe two chained vulnerabilities leading to remote code execution: 1) Arbitrary PHP file write during WordPress import via importImagesFromBodyHTML, leveraging uncontrolled outbound fopen...

CVE-2026-28507 Idno: Remote Code Execution via Chained Import File Write and Template Path Traversal

Idno is a social publishing platform. Prior to version 1.6.4, there is a remote code execution vulnerability via chained import file write and template path traversal. This issue has been patched in version 1.6.4...

CVE-2026-28507 Idno: Remote Code Execution via Chained Import File Write and Template Path Traversal

Idno is a social publishing platform. Prior to version 1.6.4, there is a remote code execution vulnerability via chained import file write and template path traversal. This issue has been patched in version 1.6.4...

CVE-2026-28507 Idno: Remote Code Execution via Chained Import File Write and Template Path Traversal

Idno is a social publishing platform. Prior to version 1.6.4, there is a remote code execution vulnerability via chained import file write and template path traversal. This issue has been patched in version 1.6.4...

CVE-2026-28502

WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution RCE vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted ZIP archive...

Idno 操作系统命令注入漏洞

Idno is a social content publishing platform developed by Idno OpenSource. Versions of Idno prior to 1.6.4 contained a vulnerability related to operating system command injection. This vulnerability stemmed from write operations on linked import files and path traversal through templates, which...

Medium: qt5-qt3d

Issue Overview: A vulnerability classified as critical has been found in Open Asset Import Library Assimp 5.4.3. This affects the function Assimp::AC3DImporter::ConvertObjectSection of the file code/AssetLib/AC/ACLoader.cpp of the component AC3D File Handler. The manipulation of the argument tmp...

PT-2026-23793

Name of the Vulnerable Software and Affected Versions Soft Serve versions 0.6.0 through 0.11.3 Description Soft Serve, a self-hostable Git server, contains a server-side request forgery SSRF issue. An authenticated SSH user can manipulate the server to make HTTP requests to internal or private IP...

PT-2026-23646

Name of the Vulnerable Software and Affected Versions Ghostfolio versions prior to 2.245.0 Description Ghostfolio, an open source wealth management software, contains a server-side request forgery SSRF issue. An attacker can exploit the manual asset import feature to perform a full-read SSRF. Thi...

Medium: gimp

Issue Overview: GIMP: PSD loader: heap-buffer-overflow in freadpascalstring no null terminator CVE-2026-2239 An integer overflow vulnerability has been identified in the PSP Paint Shop Pro file parser of GIMP. The issue occurs in the readcreatorblock function, where the Creator metadata block is...

PT-2026-23744

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery SSRF via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or...

PT-2026-23666

Name of the Vulnerable Software and Affected Versions Zabbix affected versions not specified Description A Zabbix user with the 'User' role and template/host write permissions can create objects using the configuration.import API. This can result in unauthorized hosts being created, leading to...