A vulnerability was found in Bernd Bestel grocy 4.6.0 . It has been classified as critical . Affected by this issue is some unknown functionality of the file /stockreports/spendings . Performing a manipulation of the argument product-group results in sql injection. This vulnerability is cataloged as CVE-2026-50890 . It is possible to initiate the attack remotely. There is no exploit available.