cbcvebase.
CVE-2026-29784
published 2026-03-07

CVE-2026-29784: Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs…

PriorityP341high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.16%
5.3th percentile
Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. This issue has been patched in version 6.19.3.

Affected

3 ranges
VendorProductVersion rangeFixed in
ghostghost>= 5.101.6 < 6.19.36.19.3
ghostghost>= 5.101.6 < 6.19.36.19.3
tryghostghost
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.