Critical severity9.8NVD Advisory· Published Apr 12, 2022· Updated Jul 5, 2026
CVE-2022-28397
CVE-2022-28397
Description
An arbitrary file upload vulnerability in the file upload module of Ghost CMS v4.42.0 allows attackers to execute arbitrary code via a crafted file. NOTE: Vendor states as detailed in Ghost's security documentation, files can only be uploaded and published by trusted users, this is intentional.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ghostnpm | <= 4.42.0 | — |
Affected products
3- Ghost/CMSdescription
- osv-coords2 versions
>= 4.42.0, < 4.42.1+ 1 more
- (no CPE)range: >= 4.42.0, < 4.42.1
- (no CPE)range: <= 4.42.0
Patches
Vulnerability mechanics
References
8- youtu.be/PncfBetPk2gnvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-ffhq-g856-9f2pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-28397ghsaADVISORY
- ghost.comnvdProductWEB
- ghost.org/customersghsaWEB
- ghost.org/customers/nvdProduct
- ghost.org/docs/security/nvdWEB
- trends.builtwith.com/cms/GhostnvdProductWEB
News mentions
0No linked articles in our index yet.