PatchSiren cyber security CVE debrief
CVE-2026-50890 grocy CVE debrief
A SQL injection vulnerability was discovered in grocy v4.6.0, specifically in the product-group parameter at /stockreports/spendings. This vulnerability, tracked as CVE-2026-50890, enables attackers to access sensitive database information by injecting malicious SQL statements.
- Vendor
- grocy
- Product
- grocy
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of grocy v4.6.0 should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability is caused by insufficient input validation in the product-group parameter at /stockreports/spendings, allowing attackers to inject malicious SQL statements.
Defensive priority
High
Recommended defensive actions
- Update to a patched version of grocy, if available.
- Implement input validation and sanitization for the product-group parameter.
- Monitor database activity for suspicious queries.
Evidence notes
The vulnerability was discovered and reported through a source item from the NVD.
Official resources
-
CVE-2026-50890 CVE record
CVE.org
-
CVE-2026-50890 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-50890 was published on 2026-06-15T20:16:32.003Z and has not been modified since then.