CVE-2026-50890
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk5th percentile — higher than 5% of all known CVEs
Summary
In version 4.6.0 of the grocy application, a SQL injection vulnerability was discovered in the product-group parameter at /stockreports/spendings. This allows attackers to access sensitive database information via a crafted SQL statement.
Risk Assessment
This vulnerability may lead to the exposure of confidential data from the database, posing a serious threat to the organization's security.
Recommendation
It is recommended to update the grocy application to the latest version and implement input filtering and validation to minimize the risk of SQL injection.
Original NVD description (English source)
Bernd Bestel grocy v4.6.0 was discovered to contain a SQL injection vulnerability in the product-group parameter at /stockreports/spendings. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement.

