CVE-2022-28397
Description
An arbitrary file upload vulnerability in the file upload module of Ghost CMS v4.42.0 allows attackers to execute arbitrary code via a crafted file. NOTE: Vendor states as detailed in Ghost's security documentation, files can only be uploaded and published by trusted users, this is intentional
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Arbitrary file upload vulnerability in Ghost CMS v4.42.0 allows trusted users to upload a crafted file leading to arbitrary code execution; vendor considers this intentional.
Vulnerability
An arbitrary file upload vulnerability exists in the file upload module of Ghost CMS version 4.42.0 [1]. The vulnerability allows an attacker to upload a crafted file that can lead to arbitrary code execution. Only trusted users with the ability to upload files can exploit this issue [2].
Exploitation
An attacker must have a trusted user account (e.g., admin or editor) on the Ghost CMS instance. The attacker can then upload a malicious file (such as a PHP script or executable) via the file upload module. The file is stored on the server and can be accessed and executed, leading to code execution [1]. No further user interaction is required once the file is uploaded [2].
Impact
Successful exploitation allows the attacker to execute arbitrary code on the server with the privileges of the web server process. This can lead to full compromise of the Ghost CMS instance, including data disclosure, modification, or further lateral movement [1]. The vendor notes that this behavior is intentional because file uploads are restricted to trusted users who already have high-level access [2].
Mitigation
No official patch has been released as the vendor considers the vulnerability by design [2]. Users should limit the number of trusted user accounts and review file upload permissions. Restrict file types and monitor uploaded files for malicious content. Consider using a web application firewall (WAF) to detect and block malicious uploads [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ghostnpm | <= 4.42.0 | — |
Affected products
3- Ghost/CMSdescription
- osv-coords2 versions
>= 4.42.0, < 4.42.1+ 1 more
- (no CPE)range: >= 4.42.0, < 4.42.1
- (no CPE)range: <= 4.42.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-ffhq-g856-9f2pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-28397ghsaADVISORY
- ghost.comghsax_refsource_MISCWEB
- ghost.org/customersghsaWEB
- ghost.org/customers/mitrex_refsource_MISC
- ghost.org/docs/security/ghsax_refsource_MISCWEB
- trends.builtwith.com/cms/Ghostghsax_refsource_MISCWEB
- youtu.be/PncfBetPk2gghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.