PatchSiren

Ghostfolio CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH ghostfolio CVE published 2026-07-07

CVE-2026-59708

CVE-2026-59708 is a high-severity vulnerability in Ghostfolio, a portfolio management tool. The vulnerability exists in the GET /api/v1/public/:accessId/portfolio endpoint, which accepts private access IDs without validating granteeUserId filtering. This allows unauthenticated attackers to retrieve sensitive portfolio information, including holdings, quantities, buy prices, and performance metrics. The vu [truncated]

MEDIUM Ghostfolio CVE published 2026-07-07

CVE-2026-59709

CVE-2026-59709 debrief: The CVE record was published on 2026-07-07T15:16:49.430Z and has not been modified since then. The NVD entry is currently Received. This vulnerability affects Ghostfolio's portfolio management functionality, specifically the PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint, which fails to verify the Access.permissions field when processing the Impersonation-Id header [truncated]