Tryghost Ghost vulnerabilities
21 known vulnerabilities affecting tryghost/ghost.
Total CVEs
21
CISA KEV
0
Public exploits
3
Exploited in wild
1
Severity breakdown
CRITICAL2HIGH8MEDIUM10LOW1
Vulnerabilities
Page 1 of 2
CVE-2026-26980P1HIGHCVSS 7.5ExploitedPoCv>= 3.24.0, < 6.19.12026-02-20
CVE-2026-26980 [HIGH] CWE-89 CVE-2026-26980: Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated a
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
nvd
CVE-2023-40028P2MEDIUMCVSS 6.5PoCfixed in 5.59.12023-08-15
CVE-2023-40028 [MEDIUM] CWE-22 CVE-2023-40028: Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnera
Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. Site administrators can check for exploitation of this issue by looking for unk
nvd
CVE-2023-31133P2HIGHCVSS 7.5fixed in 5.46.12023-05-08
CVE-2023-31133 [HIGH] CWE-200 CVE-2023-31133: Ghost is an app for new-media creators with tools to build a website, publish content, send newslett
Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack.
Ghost(Pro) has already been patched. Mainta
nvd
CVE-2021-29484P3MEDIUMCVSS 6.1PoCv>= 4.0.0, < 4.3.32021-04-29
CVE-2021-29484 [MEDIUM] CWE-79 CVE-2021-29484: Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vuln
Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter credentials and may not know they've visited a malicious site. Ghost(Pro
nvd
CVE-2026-29053P2CRITICALCVSS 9.8v>= 0.7.2, < 6.19.12026-03-05
CVE-2026-29053 [CRITICAL] CWE-74 CVE-2026-29053: Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted mal
Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.
nvd
CVE-2026-22595P3HIGHCVSS 8.1v>= 6.0.0, < 6.11.0v>= 5.121.0, < 5.130.62026-01-10
CVE-2026-22595 [HIGH] CWE-863 CVE-2026-22595: Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through
Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session authentication. External systems that have been authenticated via Staff Tokens f
nvd
CVE-2026-53943P3CRITICALCVSS 9.6v>= 4.0.0, < 6.37.02026-06-24
CVE-2026-53943 [CRITICAL] CWE-524 CVE-2026-53943: Ghost is a Node.js content management system. From until 6.37.0, when Ghost is behind a shared cach
Ghost is a Node.js content management system. From until 6.37.0, when Ghost is behind a shared caching layer that results in cached content being shared between different visitors, an unauthenticated user could send an x-ghost-preview header that altered the rendered frontend response. In affected cache configurations, that response could be stored
nvd
CVE-2026-22594P3HIGHCVSS 8.1v>= 6.0.0, < 6.11.0v>= 5.105.0, < 5.130.62026-01-10
CVE-2026-22594 [HIGH] CWE-287 CVE-2026-22594: Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through
Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0.
nvd
CVE-2026-22596P3HIGHCVSS 7.2v>= 6.0.0, < 6.11.0v>= 5.90.0, < 5.130.62026-01-10
CVE-2026-22596 [HIGH] CWE-89 CVE-2026-22596: Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6
Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in versions 5.130.6 and 6.11.0.
nvd
CVE-2021-39192P3HIGHCVSS 7.2v>= 4.0.0, < 4.10.02021-09-03
CVE-2021-39192 [HIGH] CWE-200 CVE-2021-39192: Ghost is a Node.js content management system. An error in the implementation of the limits service b
Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. This issue is patched in Ghost version 4.10.0. As a
nvd
CVE-2026-29784P3HIGHCVSS 8.8v>= 5.101.6, < 6.19.32026-03-07
CVE-2026-29784 [HIGH] CWE-352 CVE-2026-29784: Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protec
Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. This issue has been patched in version 6.19.3.
nvd
CVE-2026-53950P3HIGHCVSS 7.5fixed in 3.1.02026-06-24
CVE-2026-53950 [HIGH] CWE-79 CVE-2026-53950: @tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub clien
@tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub client in Ghost was vulnerable to JavaScript injection on posts shared by a maliciously customised ActivityPub server. This vulnerability is fixed in 3.1.0.
nvd
CVE-2024-43409P4MEDIUMCVSS 6.5v>= 4.46.0 < 5.89.52024-08-20
CVE-2024-43409 [MEDIUM] CWE-284 CVE-2024-43409: Ghost is a Node.js content management system. Improper authentication on some endpoints used for mem
Ghost is a Node.js content management system. Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read member information. This security vulnerability is present in Ghost v4.46.0-v5.89.4. v5.89.5 contains a fix for this issue.
nvd
CVE-2026-53944P4MEDIUMCVSS 5.8v>= 6.0.9, < 6.21.12026-06-24
CVE-2026-53944 [MEDIUM] CWE-184 CVE-2026-53944: Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external reque
Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that ensures the request isn't going to an internal service using an IPv6 literal which maps to a private IPv4 address. This vulnerability is fixed in 6.21.1.
nvd
CVE-2026-53949P4MEDIUMCVSS 5.3v>= 5.46.1, < 6.21.22026-06-24
CVE-2026-53949 [MEDIUM] CWE-200 CVE-2026-53949: Ghost is a Node.js content management system. From 5.46.1 until 6.21.2, the validation applied to fi
Ghost is a Node.js content management system. From 5.46.1 until 6.21.2, the validation applied to filters on the public API endpoints could be partially bypassed, making it possible to reveal private fields via a brute force attack. If SQLite was used as the database password hashes were fully accessible. If MySQL was used as the database the passwo
nvd
CVE-2026-53946P4MEDIUMCVSS 5.4v>= 6.19.4, < 6.21.12026-06-24
CVE-2026-53946 [MEDIUM] CWE-918 CVE-2026-53946: Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, when re-rendering posts, Gho
Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, when re-rendering posts, Ghost would refetch missing image dimensions by issuing an outbound HTTP request to the URL stored on an image card — without restricting that URL to trusted image hosts. An authenticated staff user able to create or edit posts could therefore point an i
nvd
CVE-2026-53947P4MEDIUMCVSS 5.3v>= 5.18.0, < 6.21.12026-06-24
CVE-2026-53947 [MEDIUM] CWE-204 CVE-2026-53947: Ghost is a Node.js content management system. From 5.18.0 until 6.21.1, a discrepancy in responses f
Ghost is a Node.js content management system. From 5.18.0 until 6.21.1, a discrepancy in responses from the members signin endpoints made it possible for an unauthenticated attacker to determine whether a given email address belongs to a registered member of a Ghost site. This vulnerability is fixed in 6.21.1.
nvd
CVE-2026-24778P4MEDIUMCVSS 6.1v@tryghost/portal >= 2.29.1, < 2.51.5v@tryghost/portal >= 2.52.0, < 2.57.1+2 more2026-01-27
CVE-2026-24778 [MEDIUM] CWE-79 CVE-2026-24778: Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.
Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially leading to account takeover. Ghost Portal versions 2.29.1
nvd
CVE-2026-53948P4MEDIUMCVSS 5.4v>= 6.19.4, < 6.21.12026-06-24
CVE-2026-53948 [MEDIUM] CWE-434 CVE-2026-53948: Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, insufficient validation of t
Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served from the site with an attacker-chosen content type on S3/GCS storage backends. On installations that serve uploaded files from the same origi
nvd
CVE-2026-53945P4MEDIUMCVSS 4.0v>= 6.0.9, < 6.21.12026-06-24
CVE-2026-53945 [MEDIUM] CWE-367 CVE-2026-53945: Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, Ghost’s private-IP check for
Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, Ghost’s private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost server into reaching hosts on internal networks through features that issue external fetches. This vulnerability is fixed in 6.21.1.
nvd
1 / 2Next →