CVE-2026-29784
published 2026-03-07CVE-2026-29784: Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs…
PriorityP341high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.16%
5.3th percentile
Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. This issue has been patched in version 6.19.3.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ghost | ghost | >= 5.101.6 < 6.19.3 | 6.19.3 |
| ghost | ghost | >= 5.101.6 < 6.19.3 | 6.19.3 |
| tryghost | ghost | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Ghost has incomplete CSRF protections around OTC use
ghsa·2026-03-05
CVE-2026-29784 [HIGH] CWE-352 Ghost has incomplete CSRF protections around OTC use
Ghost has incomplete CSRF protections around OTC use
### Impact
Incomplete CSRF protections around `/session/verify` made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site.
### Vulnerable versions
This vulnerability is present in Ghost from v5.101.6 up to v6.19.2.
### Patches
v6.19.3 contains a fix for this issue.
### How to update
For self-hosters using Docker, find [Docker's official Ghost image here](https://hub.docker.com/_/ghost). Updating a Docker-based Ghost instance [is documented here](https://docs.ghost.org/install/docker#updating-ghost).
If a project's Ghost is a Ghost-CLI install see the documentation on [updating it to the latest version here](https:/
OSV
Ghost has incomplete CSRF protections around OTC use
osv·2026-03-05
CVE-2026-29784 [HIGH] Ghost has incomplete CSRF protections around OTC use
Ghost has incomplete CSRF protections around OTC use
### Impact
Incomplete CSRF protections around `/session/verify` made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site.
### Vulnerable versions
This vulnerability is present in Ghost from v5.101.6 up to v6.19.2.
### Patches
v6.19.3 contains a fix for this issue.
### How to update
For self-hosters using Docker, find [Docker's official Ghost image here](https://hub.docker.com/_/ghost). Updating a Docker-based Ghost instance [is documented here](https://docs.ghost.org/install/docker#updating-ghost).
If a project's Ghost is a Ghost-CLI install see the documentation on [updating it to the latest version here](https:/
No detection rules found.
No public exploits indexed.
2026-03-07
Published